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Industrial Architectures, Systems & Communications 
1.ICS Reference Architecture 


As the number of cyberattacks in the energy field has been 
continuously increased, it is mandatory for organizations to ensure 
that the appropriate technical controls are in place, detect, and 
promptly mitigate any potential security event. While in our previous 
article we presented our overall methodology for an effective 
Cybersecurity Management, in this article we focus on the ICS 
architecture review process as an important tool for the evaluation 
of the security controls and the enhancement of cybersecurity within 
the energy field. 


Industrial Control Systems (ICS) are crucial for industrial units and 
critical infrastructure worldwide, serving the most essential and 
necessary functions of modern societies. ICS have some unique 
functionalities, such as the need for real-time response, and 
extremely high availability, predictability, and reliability. The ICS 
architecture should be regularly reviewed taking into account the 
identification of ICS assets, the network flows between the ICS 
network and the corporate network, the roles and responsibilities of 
the personnel who maintain ICS systems and have access to ICS 
systems, and the business requirements of an organization. 


An inventory of ICS assets should be in place including the asset 
name, the asset category, the architecture level, the type of machine, 
the location, the asset owner, the serial number, the SW version, the 
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protocol, the patching level etc. The most secure and effective way to 
design a network architecture for developing ICS systems on critical 
infrastructure is to separate the ICS network from the corporate 
network, because the nature of network traffic on these two 
networks is different. 


Networks should be segregated based on the Site Owners’ business 
levels. However, ICS should be in a network segment separated from 
business systems, development, or application test systems, and the 
network should be segregated horizontally and vertically. Network 
firewalls and VLANs should be implemented and reviewed to control 
the network traffic between networks, restrict connectivity to and 
from internal networks servicing sensitive functions, and prevent 
unauthorized access to critical systems and areas. 


Traffic should be prevented from transmitting directly from the 
control network to the corporate network and terminated in the 
DMZ. Any protocol allowed between the control network and DMZ 
should not be allowed between the DMZ and corporate networks 
(and vice-versa). All outbound traffic from the control network to the 
corporate network should be source and destination-restricted by 
service and port. Outbound packets from the control network or 
DMZ should be allowed only if those packets have a correct source IP 
address that is assigned to the control network or DMZ devices. 


Network devices logs should be monitored on a regular basis. 
Specifically, firewall and ICS logs should be checked daily by the IT 
Manager of the plant. Network security monitoring is valuable to 
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characterize the normal state of the ICS and can provide indications 
of compromised systems when signature-based technologies fail. 
Additionally, strong system monitoring, logging, and auditing should 
be implemented to troubleshoot and perform any necessary forensic 
analysis of the systems. 


Intrusion Detection Systems (IDS) should also be in place for 
monitoring events on an ICS network or system and identifying a 
potential intruder. The two most commonly used types of IDS are 
Network-Based IDS for monitoring network traffic and Host-Based 
IDS for monitoring one or more types of characteristics of a system 
(log files, configuration changes, access to sensitive data). All 
network equipment should be physically protected, placed in a 
Control Center where only authorized persons have access. 


Access to all Industrial Control Systems should be controlled to limit 
access to authorized users, including secure time-out log-on and 
session timeout procedures. In addition, default passwords should be 
changed immediately, multi-factor authentication should be enabled, 
and password complexity should be enforced at all critical ICS 
systems. Finally, all remote access should take place via a Virtual 
Private Network (VPN) and through Jump host (where appropriate) 
and only to persons authorized by their domains. 


One of the most common and secure architectures for ICS systems is 
the Purdue Model. This model has been proposed by major 
organizations such as NIST, ENISA and SANS as the best and most 
secure practice for securing the systems architecture and network of 
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an ICS environment. The Purdue Model helps provide security for 
industrial communication by separating the layers and defining the 
mode of operation and interaction between the equipment in a field 
and the corresponding processes. In other words, this model 
provides an excellent picture of the different levels used in 
production lines and how they are secured in critical infrastructure. 
Properly implemented, it can create the necessary safeguards 
between ICS and IT systems. 


The typical six levels of the Purdue Model that the ICS assets should 
be categorized in the Asset Inventory are analyzed below. 


Level 5: Enterprise (Enterprise Zone) 


This level includes corporate IT infrastructure systems and 
applications such as VPN remote access and corporate Internet 
access services. Direct communication between systems in the 
enterprise zones and the ICS environment is usually discouraged 
based on the level of risk that this would expose the organization to. 
Access is managed into the ICS environment through a Demilitarized 
Zone (DMZ). 


Level 4: Site Business Planning and Logistics (Enterprise Zone) 


This level includes IT systems that deal with reporting, scheduling, 
inventory management, capacity planning, operational and 
maintenance management, e-mail, phone and printing services. The 
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services, systems and applications in Levels 4 and 5 are normally 
managed and operated by the IT Department of an Organization. 


Level 3.5: Demilitarized Zone (DMZ) 


Here, we find security systems such as firewalls and proxies that are 
used to separate or air gap the IT and ICS worlds. The level also 
includes systems such as: 


Remote Access Server 
Patch Management & Update Server 
IDS 


Level 3: Site Manufacturing Operations and Control (Manufacturing 
Zone) 


In this level, we find systems responsible for managing control plant 
operations to produce the desired end product. Applications, 
services, and systems that are found here include: 


e Data historian 

e Engineering workstations 

e Network File servers 

e IT services such as DNS, DHCP, Active Directory, and NTP 
e Remote access services 
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The systems and applications in Level 3 communicate with the 
systems in Enterprise Zone through a DMZ. Direct communication 
between systems in Manufacturing and Enterprise zones is not 
allowed. Additionally, systems in Level 3 may communicate with 
systems in Levels 1 and 0. 


Level 2: Site Manufacturing Operations and Control (Manufacturing 
Zone) 


This level includes the manufacturing operations equipment for an 
individual production area, such as: 


Human Machine Interfaces (HMI) 
Alarms/Alert systems 
Control room workstations 


These systems may communicate with systems in Level 1 and 
interface with systems in the Manufacturing and Enterprise zones 
through the DMZ. 


Level 1: Basic Control (Cell/Area Zone) 


In the first level, we find process control equipment that receives 
input from sensors, processes the input data by using control 
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algorithms, and sends the output data to a final element. Devices at 
this level are responsible for continuous, sequence, batch and 
discrete control. Some devices that exist in this level are 
Programmable Logic Controllers (PLC), and Remote Terminal Units 
(RTU). These devices run vendor-specific operating systems and are 
programmed and configured from engineering workstations. 


Level 0: Process (Cell/Area Zone) 


The zero- level includes sensors, actuators and instrumentation 
elements that directly connect to and control the manufacturing 
process. These devices are controlled by devices found in Level 1. 


The Architecture Review process ensures that the ICS infrastructure 
and SCADA application architecture adequately meet all relevant 
security and compliance requirements, and sufficiently mitigates 
identified security threats. The INACCESS Architecture Review 
Methodology consists of two main Phases, as shown below: Phase | - 
ICS Network Architecture Review & Phase Il- ICS SCADA Application 
review and are depicted below: 


Phase I- ICS Network Architecture Review - The main goals of this 
phase are to: 


1. verify that all applicable security and compliance 
requirements are effectively taken into account during the 
design phase of the ICS architecture 
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2. verify that appropriate technical controls are in place against 
typical and specific threats of the ICS infrastructure 

3. propose the appropriate mitigation / improvement actions for 
all identified gaps and areas of non-compliance with the plant 
specific security & compliance requirements 


Network Design 


Ensure that network design is based on best practices (i-e., SANS, NIST, etc.) and regulations (such as NERC CIP, etc.) 
Ensure that Network / communication are documented 


+ Check if the traffic between sub-networks is filtered (e.g., by firewall, core switch, etc.) 
Network + Confirm the usage of VLANs 
. 2 the tion between wireless and wired networks 
Segregation Identify all public facing devices in DMZ 
* Review Firewall and Intrusion Detection & Prevention System Rules 
Perimeter * Identify all entry & exit network points. Ensure that encryption and VPN is in 
Security = Check if all entry & exit points are protected by appropriate filtering (e.g., firewall, UTM, etc.) 
Third party * Identify all third-party connections 
connectivity * Verify that appropriate security controls are in place (i.e., VPN) 
Remote User * Identify all remote access methods and accounts 


* Verify that appropriate logs are kept for sufficient time 


Access Confirm that access review is conducted at least annually 


Network ; ; ; 
Logging + Ensure that appropriate logs are kept based on applicable requirements 


Time Server * Ensure that all network devices are time synched 
* Ensure that redundant NTP server is in place 


Network + Ensure that all single of point failures are identified 
eRe * Confirm that all critical network devices have a redundant equipment or alternative communication path 
Resilience * Ensure that a DRP is in place 
* Ensure that network configuration is backed up at time intervals 
Proposed 
Actions * Gap analysis of missing, incomplete, or improperly implemented security controls 


Phase II - ICS Application Security Review 
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In this phase, the goals are to: 


1. verify that all applicable security and compliance 
requirements are effectively taken into account during the 
configuration of the ICS Applications (i.e. HMI, CMS, etc.) 

2. verify that any known vulnerabilities are properly identified 
and the appropriate mitigation actions are taken 

3. verify that appropriate technical controls are in place based 
on the criticality of the plant 

4. verify that the authorized communication flows between the 
applications and rest field components are identified and 
approved 

5. verify that only secure protocols are used 

6. verify that the application features in terms of security are in 
place (i-e. Password complexity, Multi Factor Authentication, 
Encryption, etc.) based on best practices 

7. propose the appropriate mitigation / improvement actions for 
all identified gaps and areas of non-compliance with the plant 
specific security & compliance requirements 
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«Application Architecture Documents Review 
«Input Validation 
«Authentication 
ICS «Authorization 
H i «Configuration Management 
Application «Session Management 
Review Cryptography 
«Exception Management 
Auditing & Logging 
«Application Framework & Libraries 


Proposed 


Actions 


2.Common Open Protocols 


Components of ICS: A typical ICS system is made up of the following 
components 


1. 


oe ee ee 


Supervisory Control and Data Acquisition (SCADA) 
Industrial Automation and Control Systems (IACS) 
Human Machine Interface (HMI) 

Distributed Control Systems (DCS) 

Control Servers 

Programmable Automation Controllers (PAC) 
Programmable Logic Controllers (PLC) 


Scada Security Threats: For Machine learning Engineers 


8. Intelligent Electronic Devices (IED) 
9. Sensors. 
10. Remote Terminal Units (RTU) 


Note: The terms “ICS” and “SCADA” are used interchangeably in 
media. This is misleading and inaccurate. SCADA is a small 
component of ICS. 


As described above, due to ICS being different from IT systems in 
many aspects, traditional IT protocols cannot be used in ICS systems. 
All the systems, interfaces and instruments in an ICS system use 
different protocols for real-time communication and data transfer. 
These protocols were first designed for serial connection but, with 
time, have evolved to support and run on TCP/IP protocols over 
Ethernet networks. 


In a typical ICS system, the following protocols are widely used: RS- 
232 and RS-485, Modbus, DNP3, HART, TASE 2.0 and ICCP, CIP, 
PROFIBUS and PROFINET, FOUNDATION Fieldbus, BACnet and more. 


Let’s discuss each one of them in detail. 


RS-232 and RS-485: Among all the serial interfaces on the market, RS- 
232 and RS-485 are the oldest ones and are still widely used. RS-232 
is primarily used for low speed over short-distance requirements. 
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Due to low cost, simple design and enough space for multiple 
receivers, varieties of connectors are available to connect to its 
interface. 


RS-232 supports full duplex transmission method and allows only 
one transmitter and one receiver to communicate at a time. The 
maximum data rate supported by RS-232 is 20 Kbits/s. 


RS-485 has been designed primarily for high speed over long 
distances or for duplex network connectivity requirement. Unlike RS- 
232, RS-485 allows 32 devices to communicate at a time, i.e., 32 
transmitters can communicate to 32 receivers at a time. The 
maximum data rate supported by RS-485 is Mbits/s. 


Prior to the development of Ethernet, security wasn’t a large concern 
for RS-232 and RS-485 systems. Even now, they are rarely connected 
to the internet, and that provides a buffer from attack. RS-485 
systems running Modbus TCP/IP are connected more often, but the 
added risk is minimal. 


Modbus: Modbus is the oldest and most widely deployed serial 
communication protocol. It is open-source and freely distributed and 
can be built by anyone into their equipment. 


Scada Security Threats: For Machine learning Engineers 


Modbus communicates raw messages without authentication or any 
overhead. Modbus is a request-response protocol and operates at 
the application layer of the OSI model. 


In a typical Modbus network, there are 247 slaves and one master. 
Master/slave is a communication model in which one device (master) 
controls other devices (slaves). 


Modbus has several security concerns — lack of authentication, lack 
of encryption, lack of message checksum and lack of broadcast 
suppression. 


DNP3: DNP3 stands for Distributed Network Protocol. It was 
developed in 1993 and is widely used in the USA and Canada. It 
operates at the application, data link and transport layers; thus, it is a 
three-layer protocol. 


DNP3 design focused more on maximizing system availability and less 
on confidentiality and integrity. At the data link layer, it has the ability 
to detect any errors in data transmission by means of CRC check. 
Efforts have also been made to provide safe authentication at the 
application level. DNP3 has another variant named secure DNP3, 
which takes care of secure authentication and other security features 
at the application level and is always recommended instead of DNP3. 


HART: HART stands for Highway Addressable Remote Transducer. 
HART is an open-source and hybrid (analog + digital) ICS protocol. It 
is mostly used in automation. HART operates in two modes: 
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Point-to-point mode: Single master and a single slave 
Multi-drop mode: Multiple masters and multiple slaves 


The benefits of using HART include reduced cost, simplified design, 
simple implementation and flexible operation. However, HART is 
vulnerable to spoofing attacks, lack of authentication and XML 
injection attacks. 


ICCP/TASE 2.0: ICCP is Inter-Control Center Protocol and is also 
known as TASE 2.0. ICCP is designed for bi-directional WAN 
communication between two or more control centers, power plants, 
substations and other utilities within ICS. ICCP is vulnerable to 
session hijacking, spoofing, encryption and lack of authentication 
vulnerabilities. 


FOUNDATION Fieldbus: FOUNDATION Fieldbus was designed to 
replace analog connections in the refining, petrochemical and 
nuclear industries. 


As per the requirement, FOUNDATION Fieldbus can be implemented 
in two ways: FOUNDATION Fieldbus H1 and HSE (High Speed 
Ethernet), HSE being more advanced and faster than FOUNDATION 
Fieldbus H1. The FOUNDATION Fieldbus data link layer offers no 
opportunities for security. The application layer, however, can be 
secured by defining access groups and granting those groups usage 
rights and passwords. 
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CIP: CIP stands for Common Industrial Protocol and is designed for 
automating industrial applications. CIP encompasses a set of 
messages and services for security, control, control and 
synchronization. CIP is widely used in industry, since it can be easily 
integrated into other networks. 


CIP has been designed specifically for intercommunication and 
integration with other networks. CIP is vulnerable to remote attacks 
and “may result in a denial-of-service (DoS) condition, controller 
fault, or enable a Man-in-the-Middle (MitM) attack, or Replay 
attack.” (Source) 


BACnet: The BAC in BACnet stands for Building Automation and 
Control. As the name suggests, it is used for communication for 
building automation and control systems and finds its application in 
ventilating, heating, access control, lightning, air-conditioning and 
fire detection systems. BACnet systems not connected to the WAN 
have limited vulnerabilities, such as human error and physical break- 
ins. BACNet systems connected to the WAN are vulnerable to remote 
attacks and data breaches. 


PROFIBUS and PROFINET: PROFIBUS and PROFINET were created and 
designed by the same organization. PROFIBUS is a serial protocol, 
while PROFINET is an Ethernet-based protocol. PROFINET is an 
advanced version of PROFIBUS, as it works on an Ethernet-based 
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protocol and provides more speed, more bandwidth and larger 
message size than PROFIBUS. Profibus lacks authentication and 
allows spoofed nodes to impersonate master nodes. 


3.Common Community Protocols: 


The term ‘Industrial Control System’ (ICS) refers to a collection of 
integrated devices, systems, networks, and controls whose objective 
is to monitor, operate, and/or automate industrial processes. 
Nowadays, ICSs can be found in almost every industrial sector, 
including transportation, manufacturing, distribution, critical 
infrastructure, etc. Many of these ICSs are also integrated with 
physical processes that have direct implications on matters of public 
health and safety, as well as national economics and security. There 
is acommon consensus in the cyber security community that attacks 
on ICSs have the potential to create considerably higher level of 
disruption relative to comparable attacks on traditional IT systems. 
For this very same reason, ICSs have become the ‘target of choice’ 
for many cyber criminal groups and nationstate actors looking for 
ways to maximize the impact and payoffs of their attack efforts. 


Early on in their deployment, most ICS networks ran on proprietary 
communication protocols and operated entirely in isolation from 
outside IT systems. Also, historically, ICS networks were expected to 
support critical system functions, in real-time and over prolonged 
intervals, and in environments consisting of many diverse devices. As 
a result, fault-tolerance, reliability, and interoperability were the 
main objectives in the design of most vendor-specific and open- 
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source ICS communication protocols. This also meant that many ICS 
protocols were originally released with no inherent provisions for 
security (e.g., encryption, integrity, authentication), or security was 
added to them simply as an afterthought. To this day, many 
specialized ICS protocols remain reliant on security protections of 
other communication layers and protocols, such as TLS. 


Over the past few years, there has been a steady rise in the number 
of ICSs that have undergone (or are awaiting) seamless integration 
with the Cloud, external loT, and/or remote IT systems. And while 
the meshing of ICS networks with outside systems can brings 
tremendous business opportunities, it is also known to introduce a 
significant number of new security challenges. For example, ICS 
integration with external systems implies an expanded network 
surface and a need to support a wider range of IP-based protocols. 
Both of these, in turn, make the respective ICS networks susceptible 
to an increased number of direct (insider) attacks as well as a whole 
slew of outside attacks that ICS networks traditionally did not have 
to deal with. 


The goal of this Feature Topic (FT) is to explore the most recent 
research and developments related to security of networks and 
communication protocols in industrial control systems. Prospective 
authors are invited to submit original high-quality contributions 
dealing with vulnerability analysis and security-driven reengineering 
of industry-standard ICS protocols, such as: Profibus, Profinet, DNP3, 
Serial Modbus, ModbusTCP, OPC, BACnet, CIP, EtherCAT, S7Comm, 
MAQTT, CoAP, etc. Additional topics of interest include, but are not 
limited to, the important role of ICS protocols in the facilitation or 
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prevention of the following types of intrusions, as well as protocol 
modifications or revisions to address the vulnerabilities: 


e active or passive reconnaissance of ICS networks 


e gaining of unauthorized local or remote access to ICS 
networks 


e attacks on CIA of data in-transit and data in-rest in ICSs 

e attacks on CIA of processes and systems in ICSs 

e creation of covert data exfiltration tunnels in ICSs 

e spreading and execution of malicious payloads in ICSs 

e creation of command & control channels in infected ICSs 
e disruption of physical operations in target ICSs 
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Figure 1:Common Community Protocols 


4.Common Proprietary Protocols: 


BACnet (port 47808): is a communications protocol for building 
automation and control networks. It was designed to allow 
communication of building automation and control systems for 
applications such as heating, air-conditioning, lighting, and fire 
detection systems. 
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Codesys: over 250 device manufacturers from different industrial 
sectors offer automation devices with a CODESYS programming 
interface. Consequently, thousands of users such as machine or plant 
builders around the world employ CODESYS for automation tasks. 


DNP3 (port 20000): Distributed Network Protocol is a set of 
communications protocols used between components in process 
automation systems. Its main use is in utilities such as electric and 
water companies. 


EtherNet/IP (port 44818): was introduced in 2001 and is an industrial 
Ethernet network solution available for manufacturing automation. 
General Electric (product: " General electric ") 


GE Industrial Solution: Service Request Transport Protocol (GE-SRTP) 
protocol is developed by GE Intelligent Platforms (earlier GE Fanuc) 
for transfer of data from PLCs. 


HART IP: The HART Communications Protocol (Highway Addressable 
Remote Transducer Protocol) is an early implementation of Fieldbus, 
a digital industrial automation protocol. Its most notable advantage 
is that it can communicate over legacy wiring. 


IEC 60870—5-104 


IEC-104 (port 2404):is one of the IEC 60870 set of standards which 
define systems used for SCADA in electrical engineering and power 
system automation applications. 
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Mitsubishi Electric (product:“Mitsubishi”): MELSEC-Q Series use a 
proprietary network protocol for communication. The devices are 
used by equipment and manufacturing facilities to provide high- 
speed, large volume data processing and machine control. 


Modbus (port 502): a popular protocol for industrial control systems 
(ICS). It provides easy, raw access to the control system without 
requiring any authentication. 


Omron: Factory Interface Network Service (FINS), is a network 
protocol used by Omron PLCs, over different physical networks like 
Ethernet, Controller Link, DeviceNet and RS-232C. 


PCWorx: is a protocol and program by Phoenix Contact used by a 
wide range of industries. We can find them by doing the following 
queries: port:20547,1962 PLC port:2455 operating system port:9600 
response code 


ProConOS: a high-performance PLC run time engine designed for 
both embedded and PC based control applications. 


Red Lion (port 789 product: "Red Lion Controls"): Crimson v3.0 
desktop software’s protocol used when communicating with the Red 
Lion Controls G306a human machine interface (HMI). 


Siemens S7 (port 102): S7 Communication, a proprietary protocol 
that runs between programmable logic controllers (PLCs) of the 
Siemens S7 family. 
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Tridium Niagara Fox (ports 1911 and 4911): the Fox protocol, 
developed as part of the Niagara framework from Tridium, is most 
commonly seen in building automation systems (offices, libraries, 
Universities, etc.). 


5. Sample Vendor Reference Architectures: 


Platform Enterprise 


eT 

z 

8 

a 

= 

3 

é 

8 
= 


Purdue Level 0 Purdue Levels 1 thru 4 Purdue Level 5 


Figure 2:Sample Vendor Reference Architectures 


Scada Security Threats: For Machine learning Engineers 


SECTION 2 


Ethical Hacking Methodologies & Tools 


1.Information Gathering: 


Tools: 


ABB Cyber Security Benchmark 


Snort 


Splunk 


Binary Ninja 


Hyperion 


USB-ARM 


YARA 


Cyber X Sense 


1. Multi-purpose 


AlienVault Unified Security Management (USM) SIEM 
Dragos 
McAfee 
Nessus 


Ei 


2. IOC detection 
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1. FireEye IOC Editor and Finder 
2. ABB Cyber Security Benchmark 


3. Network traffic anomaly detection 


1. OSSEC 

2. Security Onion 

3. Snort 

4. Symantec Anomaly detection for ICSs 


4. Log review 


1. ElasticSearch 
2. Splunk 


5. Hardware security 
Multi-purpose tools 
Multi-purpose tools provide some of the following benefits: 


Asset discovery 

Intrusion detection 

Threat intelligence using behavioral analytics 

Investigation and response assistance by providing step by 
step guidance 


pe ae 
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AlienVault Unified Security Management (USM) SIEM 


A SIEM is a Security Information and Event Management system. It is 
used to view security information in easy-to-process formatting. 
AlienVault combines log management, SIEM functionality, asset 
discovery, vulnerability management and intrusion detection into 
one system. It is used in cloud, hybrid or on-premises environments. 


Dragos 


Dragos, the company, releases a yearly review of current threats, 
vulnerabilities and incident response and assessments lessons 
learned. This information can be used to help create security related 
metric reports. 


The Dragos Industrial Cybersecurity Ecosystem collects and cross- 
references suspicious events. The suite of tools offers asset discovery, 
compromise assessment functionality, threat hunting, forensics tools, 
automated workflows and incident response. 


McAfee 


McAfee is a well-known name in the security industry and has many 
tools used by security professionals to better protect their assets. 
McAfee also has a suite of security products geared towards SCADA. 
Their SCADA/ICS tools provided security in four areas: 
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1. Database 

2. Endpoint 

3. Data protection 

4. Network security 
Nessus 


Nessus is another well-known name in the IT security sector. It is a 
security scanner developed by Tenable Network Security and used to 
identify system security vulnerabilities. The Nessus scanner is useful 
for malware detection, web application scanning, compliance checks, 
configuration review and assessments. 


Security Onion 


Security Onion is a collection of free tools used to assist with traffic 
analysis and network monitoring. It includes a Network Intrusion 
Detection System (NIDS), host-based Intrusion Detection System 
(HIDS), packet capture and analysis tools. Bro, Snort, Open-Source 
HIDS Security (OSSEC) and other tools are included in the Security 
Onion suite. 


Security Onion tools take the information gathered and show it in an 
easy-to-read format. This makes analysis easier to perform. 
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Log review 


Systems generate logs, including audit logs, user access logs, security 
logs and system status logs. So much data is generated by logs that 
analysis can be difficult. Log review tools are designed to help with 
this issue. Some of the best log analysis tools for ICSes on the market 
include the following. 


ElasticSearch 


If you’ve ever heard the term “ELK stack,” ElasticSearch is the E in 
that acronym. (The other two letters are for Log Stash and Kibana.) 
ElasticSearch is useful in data mining and analytics. It allows the user 
to search and filter data quickly through the use of manual searches 
or the creation of rulesets. 


The Kibana dashboard is the tool used to easily view gathered 
information in a formatted GUI. It provides the visualization of the 
data. 


Splunk 


Splunk is a network monitoring tool that also provides intelligence. It 
is useful in analyzing device, HMI and overall network/system 
behaviors. Splunk is also useful in forensics investigations. 
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Hardware 


Physical security practices are an integral part of a complete cyber 
hygiene program. Physical security includes guards, strategic lighting, 
fences, doors and locks. Within the protection of exterior security 
and access control, the hardware and components physically 
connected to the system are further protected by hardware security 
practices such as the use of anti-tampering devices and hardware 
security modules (HSM). 


Anti-tamper devices are physically attached to hardware to prevent 
unauthorized access to the physical system components. 


Hardware security modules are physical computing devices that 
provide crypto processing. They are used to manage digital keys for 
more secure authentication. Some HSMs also include anti-tamper 
protection. 


2.Scanning, Enumeration and Fingerprinting: 


Nmap is one of those tools that is essential to every 
hacker/penetration tester’s toolbox. No hacker/pentester should 
EVER be without nmap. Although nmap has many varied capabilities 
(including nmap scripts (NSE)), it began as a simple best port scanner 
and has remained the best port scanner available to us. As a result, 
every hacker/pentester should understand the basics of using nmap. 
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Nmap Basics 


When we can boil down the nmap syntax for port scanning to its 
bare essentials, it looks like this; 


nmap -s<type of scan> <IP address> 


nmap has many types of scans. Among the most useful and popular 
are; 


T —this is the connect scan. It opens a TCP 3-way handshake with the 
target system, thereby offering us the most reliable results, but the 
least stealthy, as the 3-way handshake is logged by the system. 


S —the stealth or SYN scan sends a packet with the SYN flag set 
thereby opening a connection, but not completing the 3-way 
handshake. Therefore, it is not logged, but it is pretty reliable. 


U —the T and the S scans provide us with information on the TCP 
ports, but not the UDP ports. This scan specifically looks for UDP 
ports. 


X — the infamous XMAS scan. It turns on the P, U, and F flags and it 
used to be able to illicit a response from some systems. Although still 
famous, it has limited usefulness now. 


A -—this scan sets the ACK flag which would normally indicate an 
ongoing TCP communication. It can be used to confuse and get 
past some stateless firewalls. 
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The Most Reliable, but Least Stealthy Scan 


Let’s start by attempting a -T or Connect scan against a SCADA target. 
| have chosen this one from my Shodan search for systems running 
port 502 or modbus (modbus is the most popular SCADA protocol). 
This just happens to be a plant in Genoa, Italy. 


kali > nmap -sT 88.147.125.34 -p 502 


As you can see, nmap found port 502 filtered on this system. This 
usually indicates that the port is enabled, but has a firewall blocking 
access. 


Sometimes, a UDP scan can reveal more information. Let's try a 
nmap UDP scan against the same target and see whether it reveals 
any further information. The switch for a UDP scan is -sU. 


kali > nmap -sU 88.147.125.34 -p 502 


We can see that this scan comes back saying that port 502 is either 
open or filtered. 


Nmap scripting engine (NSE) 


In addition to being an excellent port scanning tool, nmap has a 
scripting capability. This adds significant capability to nmap via the 
Lua scripting language. 


if 


fea) 
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The Nmap scripting engine is one of Nmap's most powerful and, at 
the same time, most flexible features. It allows users to write their 
own scripts and share these scripts with other users for the purposes 
of networking, reconnaissance, exploitation, etc. These scripts can be 
used for: 


Network discovery 

More sophisticated and accurate OS version detection 
Vulnerability detection 

Backdoor detection 

Vulnerability exploitation 

Find the Nmap Scripts 


a a ee 


From the terminal, let's look for the Nmap scripts. All of the scripts 
should end in. nse (nmap scripting engine), so we can find the scripts 
by using the Linux locate command with the wildcard *.nse. That 
should find all files ending in. nse, such as; 


kali > locate *.nse 


As you can see in the screenshot above, our terminal displays 
hundreds of nmap scripts. 


The basic syntax for running these scripts is this: 


nmap --script <scriptname> <script-args-if-any> <host ip> 
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In our case here, we want to use a specific script for finding modbus 
nodes within a modbus enabled sites (although SCADA sites use 
numerous different protocols, modbus is the most popular). In other 
words, if we know that the site is using modbus, this script can 
discover each of the nodes and their identifier. 


Outside of the standard syntax, we need to add the script argument 
‘modbus-discover.aggressive=true’ to our command. The command 
should look something like this. 


kali > nmap --script modbus-discover.nse --script-args='modbus- 
discover.agressive=true' -p 502 88.147.125.34 


When we run it and it is successful, it should be able to provide us an 
output of all the modbus nodes on the system. 


As you can see, it successfully was able to identify the nodes as 
Schneider Electric SAS version 5.2 and found each of the nodes. 


It found nodes from 1 (0x01) to 262 (Oxf6). This provides valuable 
information to the attacker by not only identifying the PLC and the 
version, but also the communication protocol (modbus) and each of 
the nodes. As SCADA attacks require intimate knowledge of the ICS 
operations, this information may be enough for the attackers to 
begin planning their attack upon this infrastructure. 
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SCADA infrastructure is among the valuable and vulnerable systems 
in the world. If one of these systems is hacked (as many have) it can 
not only cost the company millions of dollars, but may cost many 
lives as well (e g electric grid, water treatment). We have been able 
to not only find these devices, but also enumerate each of its nodes, 
setting up the exploitation of these devices and systems. 


3.Gaining Access: 


A remote access attack is when a hacker remotely connects to an ICS. 
One of the most common ways hackers access ICS systems remotely 
is through the use of SCADA systems. In this scenario, hackers access 
the local network (LAN) connected to the SCADA system and then 
access the SCADA through the LAN. This can be done through the use 
of a computer running special software, known as remote access 
software. This software allows a person to remotely access the LAN 
and SCADA system. 


Remote access attacks are also possible when a remote access server 
is connected to the SCADA. A remote access server is a computer 
used to allow access to the SCADA system from remote locations. 
There are a number of ways hackers can gain access to remote access 
servers, including through social engineering, brute force attacks, 
and password guessing. 


One of the ways potential hackers gain access to a system is by using 
phishing techniques to get a privileged user to open a malicious 
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email and deliver the payload. Another is using the same technique 
on aless-privileged user and exploiting password weaknesses to 
elevate their privileges and wreak havoc on the system. 


This is why strong password policies and separation of duty practices 
are vital in protecting an ICS environment. Ways to implement this 
control include: 


e Implement multi-factor authentication 

e Enforce use of a 14+ character password or password with 
capitals, special characters and numbers 

e Remove all default admin accounts 

e Force admin users to only use admin accounts when 
necessary and use standard user accounts when performing 
non administrative functions (if applicable) 

e Automate alerts for when new accounts are created 


4. Maintaining Access: 
Webshells in kali linux: 


Webshells can be used to maintain access or to hack a website. But 
most of them are detected by antiviruses. The C99 php shell is very 
well known among the antivirus. Any common antivirus will easily 
detect it as a malware. 
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Generally, their main function is to send system command via web 
interfaces. 


As you see, they are divided in classes according to the 
programing language: asp, aspx, cfm, jsp, perl,php 


If you enter in the PHP folder, you can see all the webshells for 
php webpages. 


:/u s| Ls# cd php/ 
uSI nal h { php# 1s 


findsock.c php-findsock eLL. pl qsd-php-backdoor.php 
php-backdoor.php php-reverse-shelL. phy simple-backdoor.php 


To upload the shell to a web server, for example “simple- 
backdoor.php” open the webpage and URL of the web shell. 


At the end, write the cmd command. You will have all the info 
shown as in the following screenshot. 


¢ | aera; 


EEE EEE 
fj Most Visitedy [fJOffensive Security “A Kali Linux “A Kali Docs “(Kali Tools KMExploit-DB 
Host Name: her 
OS Name: 
OS Version: 
OS Manufacturer: Microsoft Corporation 
OS Configuration: Standalone Workstation 
OS Build Type Multiprocessor Free 
Registered Owner: a 


Registered Organization: 


Scada Security Threats: For Machine learning Engineers 


Tools 


cryptCat 


Cymothoa 


Dbd 


dns2tcp 


HTTPTunnel 


Intersect 


Nishang 


Description | javatpoint.com 


It reads and writes data across all network 
connections, using TCP or UDP protocol while 
encrypting the data that is transmitted. 


It is a backdooring tool that injects backdoor's 
shellcode into an existing process. 


It is a Netcat-clone, which offers strong 
encryption and runs on Unix like operating 
systems and on Microsoft Win32. 


It is a network tool designed to relay TCP 
connection through DNS traffic. 


It is used to tunnel network connections 
through a restrictive HTTP proxy. 


It is an Intersect Post-exploitation framework. 


It enables usages of PowerShell for offensive 
security and posts exploitation during 
Penetration Tests. 
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5.Machine learning in Scada systems: 


Programmable logic controllers (PLCs) 


are controller devices in Level 1 of PERA that are commonly 
programmed using ladder logic. Historically, PLC often has a 
customised operating system and a combination of function code 
and data blocks which may risk corruption, modification and 
configuration manipulation (Wu et al., 2019). An example an of 
attack that took advantage of PLC’s known vulnerabilities is the 
Stuxnet attack (Langner, 2011). 


Human Machine Interfaces (HMIs) 


are any device in a plant that requires human control in providing or 
in some cases displaying the state of a process or large piece of 
equipment. They are at level 2 of the Purdue architecture providing 
control panels to PLCs and often run commercially available 
lightweight operating systems such as Windows, but cannot usually 
be patched or secured (Chan et al., 2019). This makes them attractive 
targets for cyber attackers looking to gain operating systems access 
when onsite to install malicious software or gain control of other 
devices in the ICS environment. 
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Sensors/Actuators 


are at Level 0 of the Purdue architecture, and provide raw data feeds 
into PLCs (typically as data blocks). The key problem associated with 
sensors is that they are not capable of providing authentication or 
integrity guarantees to the data they provide, and PLCs in turn use 
sensor data to evaluate and execute control logic. The consequence 
is that control logic is based on unauthenticated inputs with no 
integrity controls such as ‘unauthorised command’ messages, thus 
compromising systems (Govil et al., 2017). 


Safety Instrumented Systems (SIS) 


are designed and operated as independent systems that monitor the 
condition of the industrial process with the aim to shut it down 
should it enter a state in which the system itself may be damaged. 
The safety system itself is usually engineered to similar cybersecurity 
standards as the control system, with probably less monitoring on 
safety systems and can be compromised, as in the Trisis malware 
(Kanamaru, 2017). 
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Data Historians 


collect and maintain records of past events for analysis and display, 
usually in a database platform. It usually has the same vulnerabilities 
as common database platforms (Gonzalez et al., 2019). 


Remote Terminal Units (RTUs) 


typically reside in remote locations to monitor field devices and 
transmit data back to a central monitoring station such as a Master 
Terminal Unit (MTU), a central PLC or an HMI. Like PLCs, RTUs suffer 
from poor security features and are vulnerable to attacks such as 
authentication bypass, data manipulation and malformed protocol 
messages (Graham et al., 2016). An example of known attacks on 
RTU is the Industroyer incident (Kshetri & Voas, 2017). 


Engineering Workstations 


are placed at various locations in the plant to allow engineers to 
update components in the rest of the ICS systems. They are often 
poorly controlled from an IT security perspective, may run 
unsupported operating systems and run under generic administrator 
accounts, often allowing remote access. In addition, they are prone 
to software vulnerabilities, USB insertion of code or data on sites and 
may not run log monitoring and malware detection software 
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(Antrobus et al., 2016). In the case of Stuxnet, the attacker utilises an 
engineering workstation as the initial access point. 


OT network protocols 


In addition to vulnerabilities and weaknesses in ICS components, 
many ICS specific protocols are also vulnerable to cyber-attacks. We 
list common protocols with their vulnerabilities: 


Modbus 


is a de-facto communication protocol developed by Mobicon (now 
Schneider Electric) for PLCs and other ICS devices (Swales et al., 
1999). It is insecure by design with known vulnerabilities that can 
lead to denial-of-service (Voyiatzis et al., 2015; Upadhyay & Sampalli, 
2020). 


PROFINET 


is an I/O protocol by PROFIBUS International (Feld, 2004). The 
protocol is based on ETHERNET standard and is vulnerable against 
attacks such as unauthorised access (Dias et al., 2018). 
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S7COMM 


is a proprietary protocol for Siemens PLCs (Beresford, 2011). The 
protocol lacks authentication and encryption which makes it 
vulnerable to spoofing and denial-of-service attacks (Alsmadi et al., 
2021). 


DNP3 


is a reliable protocol that is used for communications between 
control system devices. In the default configuration it contains no 
authentication or encryption of the payload (East et al., 2009). 


The main problem associated with ICS security protocols is many 
protocols currently in use do not implement message authentication 
and encryption, and have only weak or absent integrity protection. In 
consequence, adversaries have the ability to set up malicious control 
points in some cases manipulate data in transit or through malicious 
drivers. 


3.2 Common cyber-attacks on ICS 


Cyber-attacks on ICS may be targeted or opportunistic. Targeted 
attacks are defined as attacks that immediately target the physical 
infrastructure, whereas opportunistic attacks are classified as attacks 
that have an industrial attack as a byproduct rather than as the main 
objective. 
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The MITRE Corporation has recently released a MITRE ATT&CK for 
ICS framework to model the attack pathways to OT, in the form of 
tactics, techniques and procedures (Alexander et al., 2020). Some of 
the tactics in the ICS ATT&CK framework reappear in the general 
ATT&CK matrix, others are unique to industrial control systems. 
Among the unique tactics are inhibiting control functions, impairing 
process control and an impact category that lists the various forms of 
impacts that ICS cyber-attacks may have. Attacks are usually not 
executed in a single step and with a single technique or procedure. 
Instead, they rely on a set of techniques executed in a sequence 
known as the kill chain. As an example, the ICS specific kill chain that 
underpins a lot of the impacts in the ATT&CK for ICS framework is 
developed in Assante and Lee (2015). 


Existing ML approaches mainly have a more limited focus on specific 
techniques (in the technical sense related to the above). Our studies 
found that the most common cyber-attacks can be categorised into 
four categories; denial-of-service (DoS) (Long et al., 2005), false data 
injection (FDI) (Mo & Sinopoli, 2010), reconnaissance (Rec) 
(Mazurczyk & Caviglione, 2021) and spoofing (Spo) (Hijazi & Obaidat, 
2019). 
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3.3 ICS security issues and challenges 


ICS environments are usually designed to rely on their environments 
for their security. Security weaknesses in industrial protocols, for 
instance, are usually addressed by running them on a separated 
network, with the presumption that access to such separated 
networks can be strictly controlled by the operator. In modern 
environments, such separation is less and less possible. Relative to 
the context in which ICS systems operate, three trends influence the 
degradation of cyber-security in ICS networks. 


Convergence of IT and OT networks 


The advent of Industry 4.0 has led to a gradual convergence of IT and 
OT to allow process automation. ICS networks are a core part of OT 
networks. As a consequence, ICS networks are no longer isolated but 
are now exposed to automation components as well as increasingly 
the IT environment (and in some cases even the Internet), which 
increases their attack surface. For example, the Industrial Internet of 
Things often relies for its functionality on connections between 
critical infrastructure and a cloud platform that in turn is controlled 
via mobile phone apps. In many cases (like with intelligent lighting 
systems), these devices, apps and associated cloud infrastructure are 
deployed as an end-to-end third party solution over which the owner 
has little say, yet still ends up owning all of the risks. 


Scada Security Threats: For Machine learning Engineers 


Outdated Best Practices in the OT network 


It is considered best practice to maintain a separation between IT 
and OT networks as well as separate these networks from the 
Internet, as in the PERA model (Williams, 1994). Devices and 
applications in the OT environment are designed for long lifetimes 
and high availability, not for resistance to IT or Internet cyber threats. 
Notwithstanding recommended best practices, many OT 
environments have long had backdoors to enable remote support, 
often via insecure protocols such as FTP, TeamViewer, VNC and other 
remote access protocols. Such backdoors often existed without the 
knowledge of IT or cybersecurity departments and usually deployed 
consumer grade hardware and software standards. 


Security is not a priority in the ICS infrastructure 


ICS infrastructure is usually not safe by design. There are many 
instances of processes running with elevated privileges in an ‘always 
on’ mode on devices that can be accessed by many users. A notable 
example is engineering workstations, where the software used to 
program the PLCs does not work well in a multi-user environment 
and needs to be available to contractors in case an update of the PLC 
programming is needed. Access to data blocks on PLCs is in turn 
required by industrial monitoring software and requires network 
access to the PLC over a programming port. In these situations, 
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normal network controls, such as firewalls, are ineffective and to 
detect an intrusion, a protocol level understanding of the traffic is 
required. 


3.4 ICS vulnerabilities in a nutshell 


Overall, this section lists the well-known vulnerabilities found in ICS 
components and protocols, four common categories of cyber attacks, 
and the ICS security issues and challenges. In summary, the 
vulnerabilities mentioned are mostly around insecure authentication, 
risks to unauthorised modification to data/configuration, and 
outdated/unpatchable software. These are generally caused by poor 
design which did not consider the security aspect of the particular 
component or protocols. Therefore, vulnerabilities in ICS are not an 
easy fix because most of these components and protocols would 
require a design update or an extra layer of security added to them 
in order to make them secure. Alternatively, better detection 
strategies can be developed to detect cyber attacks that arise from 
these vulnerabilities. 


4 Current advancement in machine learning 


We review the performance of recent ML-based approaches for 
detecting ICS cyber attacks, particularly focusing on the last five years 
(2017-2022). We structured our review to provide insights on the 
following two key components (i.e. machine learning algorithms and 
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datasets) used in the development of the ML-based detection 
systems: 


1. machine learning algorithm - an algorithm that will ‘learn’ 
from input data and save the ‘learned’ information into a 
model. The model will then be used for classification, 
prediction or clustering tasks. 


2. dataset - a set of data used for building and training the 
model. The data normally consists of both normal and attack 
samples. It will also be used to evaluate the machine learning 
model’s performance. 


Contemporary machine learning algorithms 


ML algorithms are used for learning the patterns from input data to 
build a model that can later be used to recognise the learned 
patterns from new data. This input data is also known as the training 
data. The ML model built can then be used on newer data for tasks 
such as Classification, prediction, clustering, dimensionality reduction 
and density estimation. In practice, ML model is periodically updated 
by adding newer data into the training data to ensure that the model 
can recognise newer patterns and maintain its accuracy. 
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In this section, we review contemporary ML algorithms used in ML- 
based detection approaches. These approaches typically use one of 
the contemporary ML algorithms with refined hyperparameters or 
input features. Some approaches combine two or more 
contemporary machine learning algorithms to improve 
performances. We divide these approaches into four main groups 
based on their learning characteristics, namely supervised learning, 
unsupervised learning, deep learning and ensemble learning. 


Supervised learning 


use human intervention or ‘labels’ to learn the patterns. In attack 
detection tasks, binary-class labels (‘normal’, ‘attack’) are the 
common labels used to distinguish between benign data (“normal”) 
and malicious data (“attack”). Several types of supervised learning 
algorithms are k-Nearest Neighbour, Regressions (linear, logistic, 
Lasso, softmax), Bayes (Naive Bayes, Bayesian Network), Decision 
Trees (CART, J48, ID3, C4.5, REPTree), Artificial Neural Networks 
(NeuralNet, MLP, BPNN), Rule Induction (One-R, Zero-R, Ripper), 
Support Vector Machines (SVM), and Discriminant analysis (LDA, 
QDA). 


Unsupervised learning 


requires no human intervention because it learns by grouping similar 
data together to form clusters or associations. This type of learning is 
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desirable when labels are absent or insufficient from the training 
data. Common unsupervised learning algorithms found in the 
literature for ICS attack detection are Isolation Forest, One-Class 
Support Vector Machine (OCSVM) and Autoencoders such as Sparse 
Autoencoders (SpAE), Undercomplete Autoencoders (UAE), 
Variational Autoencoders (VAE) and Fair Clustering (FD). These 
algorithms only learn from normal data and any outliers or 
anomalies detected will be classified as ‘attack’. 


Deep learning 


employs ‘multiple processing layers to learn representations of data 
with multiple levels of abstraction’(LeCun et al., 2015). Due to the 
deep learning from multiple representation levels, when trained 
properly, it can provide significantly better results than traditional ML 
algorithms. Deep learning algorithms can be a combination of both 
supervised and unsupervised learning techniques. Common deep 
learning algorithms are Deep Neural Networks (DNN), 
Convolutionary Neural Network (CNN), Deep Belief Network (DBN), 
Long Short-Term Memory (LSTM), Recurrent Neural Network (RNN, 
including Simple Recurrent Unit and Bi-directional Recurrent Unit), 
Stacked Autoencoder (StAE) and Gated Recurrent Units (GRU). 
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Ensemble Learning 


approaches learn from a single ML algorithm multiple-times. At each 
time, a different parameter setting will be used. The results are then 
combined to form a single ML model. This approach is used to 
enhance existing models and provide better detection results. 
Commonly used ensemble learning algorithms for attack detection 
are Random Forest (RF), Bagging, Boosting (Adaptive Boosting, 
Gradient Boosting), ensemble deep learning, and ensemble neural 
network. 


An overview of commonly-used ICS datasets with the best ML 
performance 


Datasets are collections of past data that are used to train and build 
ML models. These datasets are normally collected from small-scale 
physical testbeds with processes mimicking the real-world 
environment. These datasets are also used to test and evaluate the 
performance of ML models. We provide a brief description of the 
commonly used, publicly available datasets. Table 3, presents a 
comparison of different ICS datasets used in evaluating ML-based 
approaches with their reported performance. From our review, we 
observed that most papers show the performance efficacy of their 
ML-based approaches through accuracy or F1-score. For simplicity, 
we only present the accuracy score of these approaches. However, 
not all of the surveyed papers have included accuracy in their 
evaluation results. In such cases, we reported their F1 score. 
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Secure Water Treatment (SWaT) 


(Goh et al., 2016) is a collection of data from a scaled-down real- 
world industrial treatment plant testbed implemented at the 
Singapore University of Technology and Design (SUTD). The dataset 
consists of 11-days of normal operational data from both physical 
properties and network traffic, and cyber and physical attack data 
recorded once every second. The normal operational data was 
collected in the first 7-days where the plant was running six stages of 
the filtration process normally without any deliberate interruption 
and attacks. In the last 4-days, 36 attacks, lasting between a few 
minutes to an hour were launched from multiple points in the plant. 


Gas Pipeline (GP) 


(Turnipseed, 2015) is collected from the GP system provided by the 
Mississippi State University. It contains 274,627 instances of network 
communication between a Remote Terminal Unit (RTU) and a Master 
Control Unit (MTU) through the Modbus RTU protocol. Figure 4 
shows the GP system and process framework. Based on the 
framework, network packet data is collected via a logger. The attacks 
are randomly executed from 35 cyber-attacks comprised of recon, 
FDI (respond injection (resp inj), command injection (cmd Inj)) and 
DoS attacks. These attacks constitute 21.9% of the total instances in 
the dataset. 
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IUNO datasets 


(Anton et al., 2019) are OPC UA based batch processing traffic. The 
data is generated with a Festo Didactic model representing a water 
pump environment, emptying and filling in the water tank. Three 
datasets were created where each dataset contains a specific 
approach of the false data injection attack. 


BATtle of the Attack Detection Algorithms (BATADAL) datasets 


(Taormina et al., 2018) consist of three different simulated datasets 
based on a fictional C-Town water distribution system. These 
datasets were created for a cyber attack detection competition, 
where seven teams took part to develop solutions based on the 
simulated datasets. The datasets include two training datasets and a 
testing dataset. The first training dataset consists of 365 days of 
hourly normal data whereas the second training dataset consists of 
seven attacks spanned across 497 hourly records. The testing dataset 
consists of 407 hourly records with additional seven types of attacks. 
All of the 14 attacks were some form of False Data Injection attack 
such as replay, man in the middle and modification attacks. 


Water Storage Tank and Gas Pipeline SCADA systems (WST) dataset 


(Morris & Gao, 2014) was collected from the laboratory-scale SCADA 
systems at Mississippi State University. Both datasets contain normal 
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data and four types of attacks (two types of false data injection 
attacks, Denial of Service attack, and reconnaissance attack). 


Power System Attack Datasets (Power) 


The Power System Attack datasets are three datasets made from one 
initial dataset created by Mississippi State University and Oak Ridge 
National Laboratory. The initial dataset was made from 15 sets of 
data containing 37 power systems scenarios that can be divided into 
three types of events: natural events, no events, and attack events. 
The attack events are false data injection attacks including remote 
command injection, and relay setting change attacks. 


Water Distribution Testbed (WADI) 


WADI dataset (Ahmed et al., 2017) is collected from a scaled-down 
water distribution network in a city. 


Festo MPA Process Control Rig (Festo) 


A clean water supply system was implemented using the Festo MPA 
process control rig at the Edinburgh Napier University (Robles- 
Durazno et al., 2018). It generated three datasets with false data 
injection attack to reduce the amount of water in the reservoir tank. 
The data is collected using the INA219 sensors via the I2C protocol. 
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Tennessee Eastman Process (TEP) simulation 


This is the oldest publicly available dataset in the ICS environment 
(Downs & Vogel, 1993). It involves simulating an actual industrial 
process plant in the chemical industry. Researchers have re- 
generated new datasets (Rieth et al., 2017) which include more 
examples for both training and testing data. The datasets contains 21 
preprogrammed process faults that could simply be categorised as 
false data injection attacks. 


Traffic Light Control System (TLIGHT) 


The dataset is based on an experimental setup using the Siemens S7 
PLCs loaded with TLIGHT traffic light control program (Yau & Chow, 
2017). Two set of datasets were created. The datasets contain seven 
types of normal operations that caused variation in the timers and 
output values of the traffic light control system. Attack data was 
created by altering some of the values using an open source program 
called Snap7. 


HIL-based Augmented ICS Security (HAI) 1.0 


This dataset (Shin et al., 2020) is collected from a simulated testbed 
which combines three physical systems; GE turbine, Emerson boiler 
and FESTO water treatment. 
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Challenges in ML for ICS security 


We have identified four critical challenges facing ML research for ICS 
security: 


Limited attack scenarios for evaluation 


Despite cyber attacks on ICS in critical infrastructure being extremely 
damaging, highly targeted and specific attacks on them are not that 
common. The best-known attacks tend to be varieties of the Stuxnet, 
BlackEnergy, Trisis, Havex or Crashoverride malware families. These 
malware were highly targeted to specific environments, such as the 
Iranian uranium enrichment plant in the case of Stuxnet, or the 
Ukrainian power grid in the case of BlackEnergy. Besides these 
targeted attacks, some attacks can be classified as opportunistic such 
as ransomware. At the time of writing, most opportunistic 
ransomware has a variety of specific ‘kill lists’ added for ICS 
processes. While these attacks may be less targeted, they are 
nonetheless equally damaging to the critical infrastructure. This 
situation is in stark contrast to common IT infrastructures, where 
cyber attacks (e.g. malware) samples tend to be large and have a 
significant variety. 
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Limited good quality, realistic datasets 


Apart from having limited attack scenarios, available datasets used 
for training, testing and evaluations of ML-based approaches in ICS 
are outdated, unrealistic and may only reflect specific cyber attacks 
such as the KDDCup’99 (Hettich, 1999) and NSL-KDD (Tavallaee et al., 
2009) datasets. Both datasets are still being used despite their 
weaknesses (Begli et al., 2019; Raman et al., 2019; Muna et al., 
2018). For example, the KDD dataset has been criticised for having 
redundant records, missing values and outdated attacks (McHugh, 
2000). Although the NSL-KDD removed the redundant records and 
missing values, it still contains the same outdated attacks as its 
predecessor. Newer datasets have been introduced for ICS research 
such as the Mississippi State University (MSU) Power, Gas, and Water 
datasets (Morris, 2018) and Singapore University of Technology and 
Design’s Secure Water Treatment (SWaT) dataset (Goh et al., 2016). 
These datasets, however, capture data from specific components or 
protocols in their ICS environment which restricts the types of cyber 
attacks that are available for detection. Moreover, most of the cyber 
attacks in these datasets heavily rely on the assumption that 
attackers have gained access and control into the system or network 
which limits how early a cyber attack can be detected. The main 
issue for limited good quality datasets, especially real-world datasets 
is the risk of exposing sensitive information in the datasets even after 
the data is anonymised. Therefore, almost no one would share their 
dataset from real systems publicly. 
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Risk of adversarial attacks 


ML approaches rely heavily on the correctness and accuracy of 
training data and pre-trained models to be effective. However, a 
major weakness of such approach is that it provides opportunities for 
attackers to exploit these training data and pre-trained models to 
evade detection and reduces the effectiveness of the approaches. 
While adversarial attack in cybersecurity has been a well-known 
problem for over a decade (Biggio & Roli, 2018), it has only become 
more prominent in the recent years due to the rise of ML approaches 
for cybersecurity. Adversarial attacks are different from cyber attacks 
because they aim to confuse ML models into making incorrect 
classification rather than attacking cyber infrastructures (Kurakin et 
al., 2016). Several recent papers have presented or demonstrated 
new attack vectors and potential adversarial attacks on target ML 
models including the impact to ICS systems (Gomez et al., 2021; 
Umer et al., 2021; Zizzo et al., 2020; Erba et al., 2020). For example, 
G6émez et al. proposed a new method called Selective and Iterative 
Gradient Sign Method (SIGM) that selectively modify the data of 
certain features in ICS devices to fool the DNN model into miss- 
classification. At the same time, researchers have also came up with 
solutions and suggestions to addressing the issue, such as adversarial 
learning (Anthi et al., 2021), image transformation (Agarwal et al., 
2020) and neural activation (Pawlicki et al., 2020). However, these 
methods are either specific to a particular attack (Anthi et al., 2021) 
or have not been specifically tested on ICS systems (Agarwal et al., 
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2020; Pawlicki et al., 2020). Hence, it is unknown if current ML 
approaches are resilient against adversarial attacks and are able to 
effectively detect all types of actual cyber attacks in ICS. 


In summary, the combinations of these four challenges led to one of 
the biggest challenges in developing ML based approaches which is 
the evaluation of realistic attacks. The performance of these 
approaches could never truly be evaluated due to the limitation in 
realistic attacks and datasets. Moreover, there is not a standardised 
set of performance metrics to measure these approaches with. 
Because of this, it is hard for the industry to adopt these approaches 
to their systems especially in Cl. Clearly, there is a strong need to 
address these challenges, not only to develop a more effective and 
scalable ML-based cyber attack detector, but to increase the 
trustworthiness of these new tools in the real-world. 
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SECTION 3 


Basic Exploitation 
1.Payload Development: 


SCADA/DNP3 stack has been designed and security is deployed 
within each layer including application layer, pseudotransport layer, 
and data link layer; a new dynamic buffer or cryptography dynamic 
buffer (CDB) is employed which keeps the information of security 
implementation and other related detail. CDB contains 56 bytes 
which would be utilized during whole security design and 
implementation. In Table 1, a field called “user bytes” is designated 
for those bytes, which have been constructed in DNP3 stack, while 
the other fields including source address, destination multicasting 
addresses, cryptography key sequence, and cryptography (bytes), 
dynamic storage (bytes), option (bytes), padding or dynamic bytes, 
acknowledgment, noncritical (bytes), critical (bytes), and solution or 
select method, belong to CDB, which performs distinct functions 
during security development. 


each time message has been multicast from main controller to 
subcontrollers or/and vice versa (in case of response, 
acknowledgment message); security is deployed before transmitting 
to open network, such that 3-way-hashing using SHA-2 algorithm is 
deployed at each layer, and symmetric encryption using AES 
algorithm is deployed in application layer and data link layer of DNP3 
protocol. Meaning that each subcontroller has two secret keys during 


ay 
= 

CD 

we 
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security deployment plus 3-way-hashing. The performance that 
shows is the bytes allocation and utilization during message design 
and security deployment. The CDB contains 56 bytes, which have 
been utilized during security development and are enough for 
information storage, even in case, maximum bytes, or user bytes as 
1992 bytes are received from user application layer to lower layer of 
DNP3; without use of CRC (cyclic redundancy code) bytes from data 
link layer. In few experiments, secret key is only employed on data 
link layer frame or link protocol data unit (LPDU) bytes, not in 
application layer. The corresponding performance results are 
significantly affected, while being compared with first security 
deployment scenario. In testbed, link layer frame or LPDU bytes are 
encrypted, but in few cases, this is difficult to identify the main 
controller or/and subcontrollers addresses. Therefore, two external 
fields, source address, 2-bytes (unassigned), and destination 
multicasting address, 4-bytes (unassigned), are added which would 
be meaning full in identification process, and authentication process 
of internal/external addresses during decryption operation, at data 
link layer. Table 2 shows the detail of CDB fields and corresponding 
bytes detail. 
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Number 


Field name 


Source address 
and port 


Destination 
multicasting 
addresses and 
ports 


User bytes 


Cryptography 
key sequence 


Cryptography: 
dynamic storage 


Occupied 
bytes 


2 bytes 


4 bytes 


2 bytes 


4 bytes 


22-56 
bytes 


Description 


External field 
representing the main 
controller address 
during multicasting 
transmission or in case 
of response from each 
subcontroller 


Representing the 
multicasting addresses 
of selected 
subcontrollers 


Keep the information of 
protocol constructed 
bytes 

Cryptography keys are 
employed with distinct 
numbers and counted 
in this field 


Information is updated 
and bytes are 
dynamically in/out, 
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Number 


10 


11 


Field name Cccupied 
bytes 
Option 2 bytes 
Padding 2 bytes 
Acknowledgment 2 bytes 


Critical 1 byte 


Noncritical 1 byte 


Solution: select 


method 1 byte 


Description 


according to the 
requirements 


Verify the contents of 
message, before 
transmission 


Ensure and show the 
status of completed 
message 

Main 
controller/subcontroller 
acknowledgment 
message 


Show the status of 
abnormal entity 


Ensure the bytes are 
flowed in normal 
transmission 


Show the detail of 
security method that is 
being used 
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Figure 3:Security implementation within DNP3 stack 


In Figure 4, SCADA/DNP3 stack is designed and bytes are flowed from 
user application layer to DNP3 application layer and downward. The 
DNP3 stack is designed to manage the maximum bytes which flow 
from user application layer or in case, when application layer buffer 
is full as 2048 bytes plus 56 bytes of CDB. The number of rows (RWs) 
and columns (CLs) with corresponding offsets shows the complete 
DNP logical stack, with security bytes. The highlighted bytes in DNP 
stack, the bytes 0x00c3 and Ox00c1, represent the application layer 
header bytes; the byte “Ox001c” is representing the pseudotransport 
layer header byte, and the bytes Ox00aa and Ox00cc are representing 
the data link layer header bytes, while the remaining highlighted 
bytes such as 0x001a, 0x00ee, 0x002a, and Ox00ee in application 
layer stack, OxO02a and Ox00ee in pseudotransport layer stack, and 
0x001a, Ox00ee, 0x002a, and Ox00ee in data link layer stack are 
representing the security bytes via cryptography dynamic buffer 
(CDB). The reaming bytes in hexadecimal format are representing the 
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user bytes which are constructed in DNP3 stack or each layer of 
DNP3 stack and the shaded area shows that the space is empty, and 
this would be filled up in case of 1992 user bytes that are 
constructed and manipulated in application layer. 


NP3 stack with UDP protocol 
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Figure 4:Logical bytes flow in DNP3 stack 


Scada Security Threats: For Machine learning Engineers 


The message is distinguished at application layer whether sending 
bytes or response bytes. In application layer, sending/response 
message is distinct by occupied bytes. Meaning that sending header 
contains two bytes and response header contains same fields of 
sending header, plus two bytes field called internal indication (IIN). 


Example. Suppose that main controller wants to execute read/write 
commands, and subcontroller (s) will response by employing IIN 
field. Such that 


Request: Read Function <C3 01> 
Response: <C3 81 00 00> 
Request: Write Function <C3 02> 


Response: <C3 81 00 00> 


The byte “C3” is representing the application control (AC) and 
function code (FC) “01” is added for read (request) and function code 
(FC) “02” is added for write (request). On the other side, internal 
indication (IIN) field contains two bytes, and corresponding codes 
<00 00> are generated in response, plus function code (FC) “81” in 
both cases: read and write. 


Request: Cold_Restart Function <C3 OD> 
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Response: <C3 81 00 00> 
Request: Warm_Restart Function <C3 OE> 


Response: <C4 81 00 00> 


In another example, main controller wants to execute the 
cold_restart and warm_restart functions using codes: OD and OE. In 
response, subcontrollers transmit IIN codes <00 00>, plus function 
code (FC) “81” in both cases, but AC code is different as “C3,” in case 
of cold_restart and “C4” in case of warm_restart. In multicasting, 
each subcontroller is responses with distinct sequence number. 
Application control (AC) field contains 5 bits subfield called sequence, 
plus 1 bit of confirmation. Therefore, each subcontroller is responses 
to main controller using distinct sequence numbers, from 0 to 15. 


The more concise flow of SCADA/DNP3 system is illustrated as in 
Figure 5. In multicasting flow, DNP3 protocol bytes are constructed in 
each layer, and corresponding functions are manipulated followed by 
request and response messages [25, 37]. At main controller side, 
DNP3 request is generated and multicast to remote terminal units 
(RTUs), followed by multicasting group. Four remote terminal units 
(RTUs) included RTU3, RTU4, RTU6, and RTU7 and are depicted 
which received the main controller request message. In response 
bytes flow, response is generated from RTUs and transmitted back to 
main controller; in this scenario, unicasting communication is 
employed rather than multicasting. Numbers of examples are taken 
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from SCADA/DNP3 transmission during flow of request/response 
bytes and are visualized as in Figure 6. 
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Figure 6 : SCADA/DNP3 communication: bytes flow during request/response messages. 
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3. Command and Control: 


A Command and Control attack is a type of attack that involves tools 
to communicate with and control an infected machine or network. To 
profit for as long as possible from a malware attack, a hacker needs a 
covert channel or backdoor between their server and the 
compromised network or machine. The cybercriminals server, 
whether a single machine or a botnet of machines, is referred to as 
the command-and-control server (C&C) server or C2 server. 


More than a billion malware programs exist, with over 300,000 being 
discovered each day. This rising specter of cyberattacks is not just the 
concern of governments and large corporations; 80% of malware 
attacks target small and midsize businesses (SMBs). 


For cybercriminals, a successful attack goes beyond unauthorized 
entry or malware installation. To profit from stolen data, a hacker 
typically must remain in the system or network undetected to carry 
out criminal activities. To do this, they use a command-and-control 
(C&C) server. C2 servers mimic trusted or unmonitored traffic to 
avoid detection for as long as possible. The backdoor channel they 
establish becomes a means to take control of the victim’s computer 
or network for criminal activities, such as data exfiltration, hijacking 
computers for cryptocurrency mining, or shutting down entire 
networks. 
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How Do Command-and-Control Attacks Work? 


For a command-and-control attack to work, the perpetrator must 
first infect the targeted machine or network with malware via a 
specific form of cyberattack, such as phishing, social engineering, or 
malvertising. 


An infected computer or device is called a zombie; and once 
compromised, the malware establishes communication with the C2 
server to acknowledge it is ready to receive commands from the 
controlling server. Through the established channel, the criminal host 
can install additional malicious software, extract data, and spread the 
infection to additional network resources. If able to compromise 
entire portions of the network, the command-and-control server will 
essentially control a botnet of infected machines. 
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Most organizations are protected from external attacks, so the 
challenge for hackers is to find a computer or network vulnerable to 
infection. If they gain access to the system, internal network security 
defenses are naturally less robust; so while the device first infected 
may not be the primary target, it is the doorway into the system. A 
hacker may target the following devices: 


4. Edge devices, such as routers and switches 
Internet-of-Things (loT) devices, such as hand-held scanners 
Laptops 

Smartphones 

Tablets 


oe ae a ol 


Server Architecture Used in C2 Attacks 


There is no single architecture used for C&C attacks, but hackers 
employ certain models. 


Centralized 


The centralized model is very similar to a traditional client-server 
model. The malware installed on the infected device(s) acts as the 
client, phoning home to the server for instruction at regular or 
random intervals. Centralized architecture is the easiest to detect 
and remove because it has a single-source IP address. To evade 
detection, hackers have to design servers that are more complex 
than traditional servers. In the context of this command-and-control 
definition, hackers may use load balancers, redirectors, and other 
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defense measures. Additionally, it is common for them to use well- 
known websites and public cloud services to host their server. 


Peer-to-Peer (P2P) 


P2P is basically a decentralized server, one that uses a botnet 
without a master or centralized module. It is a two-edged sword in 
that it is harder to detect, but it is also harder for the attacker to 
provide instructions for the entire botnet. One strategy used by 
malicious parties is to set up a centralized C2 server with a P2P 
server model as a backup in case the centralized C2 is detected and 
removed. 


Random 


The random C2 architecture is the hardest to detect and block. This is 
because the commands come from various, random sources, such as 
content delivery networks (CDNs), emails, social media images and 
comments, and so on. The danger is that not only are these sources 
random, but they are generally trusted, unblocked, and unsuspected. 


Dangers of and Potential Damages from C2 Attacks 


Regardless of the model followed, a malware infection that opens up 
a channel for command-and-control can compromise an organization 
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in numerous costly ways. And while the damage from some attacks is 
limited to one machine or portion of the network, other infections 
can spread extensively before detection. Here are some of the 
dangers and damages caused by C2 attacks: 


Data Theft 


The C&C channel can be used to exfiltrate data and copy it to the C2 
server. This may include sensitive company or client information, 
financial documents, proprietary property, and other data that can 
be leveraged or sold. 


Reboot 


Repeated, random shutdowns initiated by the infected machine can 
disrupt operations and require duplication of efforts by personnel. 
The cost of downtime and reduced productivity can be difficult to 
measure but definitely impacts the bottom line. 


Malware/Ransomware 


One malware infection on the network can cascade into multiple 
infections. Additionally, the compromised network can be left open 
to other types of attacks, such as ransomware, which locks up data or 
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accounts with encryption until the organization pays the perpetrator 
a “ransom” of money, cryptocurrency, or sensitive data. 


Shutdown 


The criminal in control of network resources could cause a complete 
system shutdown or hold the organization at ransom to prevent a 
shutdown. The cost may be directly financial or a result of downtime 
and lost resources. 


Distributed Denial-of-Service Attacks (DDoS) 


If infection spreads throughout the network, the infected machines 
could be used to form a botnet at the disposal of malicious parties. 
This means that potential dangers can spread to other organizational 
resources, or even additional organizations, because botnets are 
traditionally used for DDoS attacks where servers or networks are 
flooded with traffic to overwhelm them or even take them offline. 
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3.Elevation of Privilege: 


Elevation of privilege (EoP) is a common attack vector in SCADA 
systems that can give attackers unauthorized access to critical system 
resources and functions. SCADA systems are widely used in critical 
infrastructure such as power plants, water treatment facilities, and 
transportation systems, making them an attractive target for 
attackers. 


Elevation of privilege attacks can be carried out in many ways, such 
as exploiting vulnerabilities in the software or firmware used in the 
SCADA system, or by using social engineering techniques to trick an 
authorized user into granting the attacker higher-level access. Some 
of the common vulnerabilities in SCADA systems that can be 
exploited for elevation of privilege attacks include weak passwords, 
unpatched systems, and unsecured network connections. 


Mitigation Techniques: Preventing elevation of privilege attacks in 
SCADA systems requires a multi-layered approach that includes 
access controls, regular updates, network segmentation, intrusion 
detection and prevention, and regular security audits. Access 
controls can be implemented to limit the access of users to only the 
resources they need to perform their job functions. 


To mitigate the risk of EoP attacks in SCADA systems, several security 
measures can be implemented. These include: 
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1.Access controls: 


Access controls are an important security measure to mitigate the 
risk of Elevation of Privilege (EoP) attacks in SCADA systems. Access 
controls help to limit the access of users to only the resources they 
need to perform their job functions, which can help to prevent 
attackers from gaining elevated privileges. 


Access controls can be implemented at various levels in a SCADA 
system, including the operating system, the network, and the 
application layer. Some examples of access controls that can be 
implemented in a SCADA system include: 


1. Role-based access control (RBAC): RBAC is a method of 
access control that assigns permissions to users based on 
their roles. For example, a user with the role of "operator" 
may only have access to a limited set of functions, while a 
user with the role of "administrator" may have access to 
more functions. 


2. Authentication and authorization: Authentication is the 
process of verifying the identity of a user, while authorization 
is the process of granting or denying access to resources 
based on the user's identity and permissions. Strong 
authentication and authorization mechanisms can help to 
prevent unauthorized access to critical system resources. 
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2. Regular updates and patching: Regular updates and patching are 
important security measures to mitigate the risk of Elevation of 
Privilege (EoP) attacks in SCADA systems. SCADA systems are complex 
and often rely on multiple software and firmware components, 
which can introduce vulnerabilities that attackers can exploit to gain 
elevated privileges. 


To address these vulnerabilities, regular updates and patching should 
be performed to ensure that the system is running the latest version 
of software and firmware, which may contain security fixes and 
improvements. Some best practices for implementing regular 
updates and patching in SCADA systems include: 


1. Establish a patch management process: A patch 
management process should be established to ensure that 
updates and patches are applied in a timely and consistent 
manner. This process should include identifying and 
prioritizing vulnerabilities, testing patches before 
deployment, and scheduling regular maintenance windows. 


3. Network segmentation: Network segmentation is a critical security 
measure that can help to mitigate the risk of Elevation of Privilege 
(EoP) attacks in SCADA systems. Network segmentation involves 
dividing a network into smaller, isolated subnetworks, or segments, 
which can help to contain the spread of malware and limit the 
potential impact of an EoP attack. 
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In a SCADA system, network segmentation can be implemented in a 
number of ways, including: 


1. Physical separation: Physical separation involves physically 
isolating different parts of a network from each other using 
firewalls, air gaps, or other physical barriers. This can help to 
prevent attackers from moving laterally across the network 
and gaining access to critical assets. 


2. VLANs: Virtual Local Area Networks (VLANs) can be used to 
logically separate different parts of a network without the 
need for physical separation. VLANs can be used to isolate 
SCADA networks from corporate networks, or to separate 
different parts of the SCADA network based on function or 
location. 


3. Access control lists (ACLs): ACLs can be used to restrict 
traffic between different parts of a network based on the 
source and destination IP address, port number, or protocol. 
This can help to prevent unauthorized access to critical assets 
and limit the spread of malware. 
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4. Intrusion detection and prevention: Intrusion detection and 
prevention are critical components of any comprehensive security 
strategy for SCADA systems. Intrusion detection systems (IDS) and 
intrusion prevention systems (IPS) can help to detect and prevent 
Elevation of Privilege (EoP) attacks in SCADA systems. 


IDS systems monitor network traffic and system logs for signs of 
suspicious activity, such as unauthorized access attempts or unusual 
system behavior. When an IDS detects a potential threat, it can 
generate an alert to notify security personnel, who can then 
investigate the incident and take appropriate action. 


IPS systems go one step further by actively blocking or mitigating 
threats in real-time. For example, an IPS may block network traffic 
from a known malicious IP address or prevent a user from executing 
a suspicious command on a SCADA system. 


When implementing IDS and IPS systems in a SCADA environment, it 
is important to consider the unique characteristics of these systems 
and the potential impact of false positives or false negatives. False 
positives can generate unnecessary alerts and consume valuable 
resources, while false negatives can fail to detect a real threat. 


To mitigate these risks, it is recommended to use a combination of 
signature-based and behavior-based detection methods, as well as 
regularly updating and tuning the system to ensure it is effectively 
detecting and preventing threats. 
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5. Regular security audits: Regular security audits are an essential 
part of maintaining a secure SCADA system. Audits should be 
conducted periodically to assess the effectiveness of security controls 
and to identify any vulnerabilities or weaknesses in the system. The 
audits should be conducted by independent third-party security 
experts who have the necessary expertise and experience to identify 
potential threats and vulnerabilities. 


During the security audit, the auditor should review the system 
architecture, network topology, access controls, authentication 
mechanisms, and other security controls in place. The audit should 
also include vulnerability assessments, penetration testing, and other 
techniques to identify potential security gaps. 


Once the audit is complete, the auditor should provide a detailed 
report of their findings and recommendations for improving the 
security posture of the SCADA system. The organization should then 
use this information to make necessary changes and improvements 
to the system to mitigate any identified risks and vulnerabilities. 


Regular security audits help ensure that the SCADA system remains 
secure and protected from potential threats and attacks. They also 
help organizations stay compliant with industry regulations and 
standards. 
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4.Establish Persistence 

Establishing persistence in a SCADA system refers to the ability to 
maintain a foothold in the system even after a restart or reboot. This 
is a critical aspect of an attacker's strategy as it allows them to 
maintain access to the system even after initial access has been lost. 


To establish persistence in a SCADA system, attackers often use 
various techniques such as backdoors, rootkits, and malware. These 
techniques allow attackers to maintain a presence in the system, 
even if the system administrator or security team detects and 
removes the initial intrusion. 


To prevent attackers from establishing persistence in a SCADA 
system, organizations should implement a multi-layered security 
approach that includes: 


1. Regular system updates and patching to ensure that all 
vulnerabilities are addressed and mitigated. 


2. Network segmentation to isolate critical systems and limit access 
to them. 


3. Intrusion detection and prevention systems to detect and prevent 
unauthorized access and activity. 


4. Regular security audits to identify and address any potential 
vulnerabilities or weaknesses in the system. 
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5. User access controls and authentication mechanisms to ensure 
that only authorized personnel can access the system. 


So this has been an issue I'm trying to tackle for a good part of the 
year, and one I've tried a few solutions for but ultimately none of 
which I've been completely satisfied with yet. So I'm asking for some 
guidance from those of you more experienced than | am. 


Basically I'm looking to implement persistence on point state alarms 
from analog points. For example, if | have a well level reported by a 
SCADAPack (ranged 0-100%) and it has an alarm on the '1 Low' state 
of say 30% with an Enabled Unsolicited RTU event. | want to be able 
to set a persistence time on it for say 5 minutes. This means if the 
well level goes from 33% to 28% and does not rise back up past 30% 
within the next 5 minutes, | want ClearSCADA to raise an alarm. 
However, if the well level goes from 33%->28%->32% within the 
span of say 2 minutes, | don't want ClearSCADA to raise an alarm on 
that point at all. 


Some solutions | have explored: 

Setting Persistence into Alarm 

My understanding is this delay the RTU from generating an event for 
the point state change from 'Normal' to '1 Low' and if the point 


returns to the normal state within the persistence delay, it does not 
even generate the point state change event at all. 
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My experience with this is that it seems to work great for binary 
points (after getting some forum help) but not so much for analog 
points. The reason is the change in analog value that triggers the 
alarm is usually large enough to surpass the event deviation. So the 
RTU will generate an unsolicited event regardless, not for the actual 
state change but for the value change. ClearSCADA processes this 
value change event and updates the point value, immediately raising 
an alarm despite the delay on ‘Persistence Into Alarm’. 


I've abandoned this approach for now but if there is a way to make it 
work, I'm all ears. 


Implement persistence as RTU code and the actual alarm as a 
separate binary point 


Probably the most robust solution, however | am concerned about 
the increase in point count as this would mean every analog point 
will need to be accompanied by one or multiple digital points to 
store each alarm. If it is to be integrated in a SCADA template, it 
would mean a lot of extra digital points that need to be created for 
each possible alarm that could appear on the analog. 

Using 'pending severities' and alarm redirection 


This is currently where I'm at. I've made some dummy ‘pending 
alarm' severities and used alarm redirection to escalate them (after a 
delay) to actual alarm severities that the operators can visibly see 
and act upon. 
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The main issue with this is the pending alarm needs to be somehow 
acknowledged if it doesn't get escalated into an actual alarm, 
otherwise the point will just stay in an unack-cleared state. The only 
way | can see to fix this is to write some logic that's called via 
redirection on alarm clear to auto-acknowledge that pending alarm. 
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Figure 7:Configure Alarm Persistence 


5. Gather Loot 

in the context of cyber-attacks, it can refer to the process of stealing 
or exfiltrating data from a compromised system. 

In a SCADA system, attackers may target sensitive information such 
as operational data, control system configurations, or other 
confidential information. This information can be used to launch 
further attacks, disrupt operations, or sell the information on the 
black market. 


To prevent attackers from gathering loot in a SCADA system, 
organizations should implement strict access controls and 
authentication mechanisms to ensure that only authorized 
personnel can access sensitive information. Network segmentation 


Scada Security Threats: For Machine learning Engineers 


should also be used to isolate critical systems and limit access to 
them. 


In addition, organizations should implement data encryption and 
data loss prevention measures to protect sensitive information from 
unauthorized access and exfiltration. Regular security audits should 
also be conducted to identify and address any potential 
vulnerabilities or weaknesses in the system. 


6.Lateral Movement 

Lateral movement in SCADA systems refers to the ability of a cyber 
attacker to move horizontally across different systems or networks 
within the SCADA environment. This allows the attacker to gain 
access to sensitive data, control systems, and cause significant 
damage to critical infrastructure. 

There are several techniques that attackers can use to achieve 
lateral movement in SCADA systems. These include exploiting 
vulnerabilities in software, using stolen credentials, and leveraging 
social engineering techniques to gain access to sensitive systems. 
Once an attacker gains access to a system, they can use various tools 
and techniques to move laterally across the network, such as using 
remote access tools, exploiting unsecured network protocols, and 
using malware to gain control of other systems. 


To prevent lateral movement attacks in SCADA systems, it is 
essential to implement strong security measures. These may include 
using firewalls, intrusion detection systems, and access controls to 
limit access to critical systems. Additionally, regular security audits 
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and vulnerability assessments can help identify and address 
vulnerabilities that could be exploited by attackers. 


One of the key challenges in preventing lateral movement attacks in 
SCADA systems is identifying and mitigating vulnerabilities in third- 
party software and hardware. Many SCADA systems use components 
from multiple vendors, and vulnerabilities in any of these 
components can be exploited by attackers to gain access to critical 
systems. 


Another challenge is the complexity of SCADA systems. These 
systems often have multiple layers of hardware and software, and 
each layer may have its own vulnerabilities and security controls. 
This complexity makes it difficult to identify and address 
vulnerabilities that could be exploited by attackers. 


To address these challenges, organizations can take several steps. 
These include implementing a layered security approach that 
includes firewalls, intrusion detection systems, and access controls. 
Additionally, organizations can conduct regular security audits and 
vulnerability assessments to identify and address vulnerabilities in 
their SCADA systems. Finally, organizations can work with vendors to 
ensure that third-party components are secure and up-to-date. 
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7.Chained Exploits 

Chained exploits in SCADA systems refer to the use of multiple 
exploits or vulnerabilities in a sequence to achieve a specific goal, 
such as gaining access to sensitive data or control of critical 
infrastructure. These types of attacks can be challenging to detect 
and prevent, as they often involve multiple stages and may use a 
combination of known and unknown vulnerabilities. 


One example of a chained exploit in a SCADA system is a targeted 
attack on a specific system or network segment. The attacker may 
begin by using a phishing email to gain access to an employee's 
computer, which may have access to the SCADA system. From there, 
the attacker may use a second exploit to gain access to the SCADA 
system, such as exploiting a vulnerability in the software or 
hardware used in the SCADA system. Once inside the SCADA system, 
the attacker may use additional exploits to gain access to critical 
infrastructure or sensitive data. 


To prevent chained exploit attacks in SCADA systems, it is essential 
to implement strong security measures. These may include using 
firewalls, intrusion detection systems, and access controls to limit 
access to critical systems. Additionally, regular security audits and 
vulnerability assessments can help identify and address 
vulnerabilities that could be exploited by attackers. 


Another important step is to ensure that employees are trained to 
recognize and avoid phishing emails and other social engineering 
techniques that attackers may use to gain access to the SCADA 
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system. This can include regular security awareness training and 
testing to help employees identify and avoid these types of attacks. 
How Chained Exploits Work 


Chained exploits work by leveraging multiple vulnerabilities in a 
system or network. The attacker first identifies a vulnerability that 
can be exploited to gain access to the system or network. Once they 
have gained access, they can then use that access to identify and 
exploit additional vulnerabilities. This process continues until the 
attacker has gained access to the desired information or resource. 


One common technique used in chained exploits is the use of 
privilege escalation. Privilege escalation refers to the process of 
gaining higher levels of access to a system or network than what was 
originally granted. This can be done by exploiting vulnerabilities in 
the system or network that allow the attacker to elevate their 
privileges. 


Another technique used in chained exploits is the use of multiple 
exploits in combination. For example, an attacker may use a SQL 
injection vulnerability to gain access to a database, and then use a 
buffer overflow vulnerability to gain control of the system. 


Preventing Chained Exploits 


Preventing chained exploits requires a multi-layered approach. The 
first step is to identify and patch vulnerabilities in the system or 
network. This can be done through regular vulnerability scanning 
and patch management. 
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Another important step in preventing chained exploits is to 
implement strong access controls. This includes limiting access to 
sensitive information and resources, and implementing strong 
authentication and authorization mechanisms. 
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Session 4 
Discovering & Exploiting ICS Weaknesses 


Industrial control systems (ICS) are used to control and automate 
critical infrastructure systems, such as power plants, water 
treatment facilities, and transportation systems. These systems are 
essential to the functioning of modern society, but they are also 
vulnerable to cyber-attacks. In recent years, there have been several 
high-profile attacks on ICS systems, highlighting the need for 
improved security measures. This paper will explore the 
vulnerabilities of ICS systems and the techniques used to discover 
and exploit them. 


Vulnerabilities of ICS Systems 
ICS systems are vulnerable to several types of attacks, including: 


1. Malware: Malware can be introduced into an ICS system through a 
variety of means, such as infected USB drives or phishing emails. 
Once inside the system, the malware can disrupt operations or steal 
sensitive information. 


2. Remote Access: Many ICS systems are accessible from the 
internet, making them vulnerable to remote attacks. Attackers can 
exploit vulnerabilities in the system's remote access protocol to gain 
unauthorized access. 
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3. Insufficient Authentication: Many ICS systems use weak or default 
passwords, making them vulnerable to brute-force attacks. Attackers 
can also exploit vulnerabilities in the authentication process to 
bypass login screens. 


4. Lack of Patching: ICS systems often run on outdated software and 
hardware that may no longer receive security updates. This makes 
them vulnerable to known exploits that have not been patched. 


Techniques for Discovering and Exploiting ICS Weaknesses 


There are several techniques used by attackers to discover and 
exploit weaknesses in ICS systems, including: 


1. Network Scanning: Attackers use network scanning tools to 
identify ICS systems that are connected to the internet. Once they 
have identified a system, they can use port scanning tools to identify 
open ports and services. 


2. Vulnerability Scanning: Vulnerability scanning tools can be used to 
identify vulnerabilities in ICS systems. These tools scan the system 
for known vulnerabilities and provide a report of any weaknesses 
that are found. 


3. Social Engineering: Social engineering techniques, such as phishing 
emails and phone calls, can be used to trick employees into revealing 
sensitive information or providing access to the system. 
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4. Exploiting Known Vulnerabilities: Attackers can exploit known 
vulnerabilities in ICS systems to gain unauthorized access. This can 
be done through the use of exploit kits or by manually exploiting 
vulnerabilities in the system. 


Preventing ICS Attacks 


Preventing attacks on ICS systems requires a multi-layered approach 
that includes: 


1. Network Segmentation: ICS systems should be segmented 
from the corporate network and the internet to limit the 
attack surface. 


2. Access Controls: Strong access controls, such as two-factor 
authentication and least privilege, should be implemented to 
limit access to sensitive information and resources. 


3. Patch Management: Regular patching of ICS systems is 
essential to prevent known vulnerabilities from being 
exploited. 


4. Employee Training: Employees should be trained on how 
to identify and prevent social engineering attacks. 
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1.Host-based Targets 

Host-based targets are a type of target used in SCADA (Supervisory 
Control and Data Acquisition) systems. In SCADA systems, a target is 
an object or device that is monitored or controlled by the system. 
Host-based targets are those that are located on a specific host or 
computer in the network. 

In a SCADA system, host-based targets can include servers, 
workstations, and other devices that are connected to the network. 
These targets are monitored and controlled by the SCADA system, 
which can collect data from sensors, process data, and issue 
commands to the targets. 

Host-based targets are often used in industrial control systems, such 
as those used in manufacturing, energy production, and other critical 
infrastructure. These systems require precise control and monitoring 
to ensure safe and efficient operations. To implement host-based 
targets ina SCADA system, the system must be able to identify and 
communicate with the targets on the network. This typically involves 
setting up a network topology that allows the SCADA system to 
communicate with the targets, as well as configuring the SCADA 
software to recognize and interact with the targets. 

Network security is a system solely made to target all the traffic 
passing from the Internet to LAN and vice versa to create a secure 
infrastructure. It filters out all the users and is found ideal for the 
defense of the underlying networking structure from illegal access, 
misuse, or shoplifting. For enhanced security purposes of devices, 
applications, and customers, it guards your data against intrusions 
and cyber threats. 
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A host-Based Security System is an advanced software application, or 
we can say a collection of various applications that are installed on a 
singular server, laptop, or computer. It is made to offer consistent 
and fool-proof security by detecting upcoming traffic or new hosts, 
confirming signatures, and inspecting firewall strategies. Majorly 
used in the United States Department of Defense security system, 
HBSS analyzes and eliminates minor to major threats via robust 
firewall protection. 

Starting from the scratch, let’s see what is meant by HBSS and NBSS 
before moving on to their best practices and common issues! Truly 
speaking, host based and network-based security issues can get 
tricky to handle 


Network security is a system solely made to target all the traffic 
passing from the Internet to LAN and vice versa to create a secure 
infrastructure. It filters out all the users and is found ideal for the 
defense of the underlying networking structure from illegal access, 
misuse, or shoplifting. For enhanced security purposes of devices, 
applications, and customers, it guards your data against intrusions 
and cyber threats. 


A host-Based Security System is an advanced software application, or 
we can say a collection of various applications that are installed on a 
singular server, laptop, or computer. It is made to offer consistent 
and fool-proof security by detecting upcoming traffic or new hosts, 
confirming signatures, and inspecting firewall strategies. Majorly 
used in the United States Department of Defense security system, 
HBSS analyzes and eliminates minor to major threats via robust 
firewall protection. 
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2.Device-based Targets 

Device-based targets are specific hardware or software platforms 
that are targeted for a particular marketing campaign or advertising 
initiative. These targets can include devices such as smartphones, 
tablets, laptops, and desktop computers, as well as operating 
systems such as iOS, Android, Windows, and macOS. 
Device-based targeting allows advertisers to reach their intended 
audience on the devices they use most frequently, which can 
increase the effectiveness of their campaigns. For example, an 
advertiser may choose to target iPhone users with a new app 
release, as iPhone users are more likely to download and use apps 
than users of other devices. 


Device-based targeting can also be used to tailor advertising content 
to specific devices. For example, an advertiser may choose to display 
a mobile-friendly version of their website to users on smartphones, 
while displaying a more detailed desktop version to users on laptops 
and desktop computers. 

Device-based targets in SCADA (Supervisory Control and Data 
Acquisition) refer to the specific hardware or software platforms that 
are targeted for monitoring and control in an industrial process. In 
SCADA systems, devices such as sensors, PLCs (Programmable Logic 
Controllers), RTUs (Remote Terminal Units), and HMIs (Human 
Machine Interfaces) are targeted for communication and data 
exchange. 


SCADA systems use device-based targeting to collect data from 
sensors and other devices, analyze it, and provide actionable insights 
to operators and managers. By targeting specific devices, SCADA 
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systems can monitor and control industrial processes in real-time, 
and provide alerts and notifications when anomalies or issues are 
detected. 


Device-based targeting in SCADA systems also allows for remote 
access and control of industrial processes, which can improve 
operational efficiency and reduce downtime. For example, operators 
can remotely access and control equipment from a central location, 
eliminating the need for on-site visits and reducing the risk of 
accidents. 

Device-based targeting refers to the specific hardware or software 
platforms that are targeted for monitoring and control in an 
industrial process. In SCADA systems, devices such as sensors, PLCs, 
RTUs, and HMlls are targeted for communication and data exchange. 
Device-based targeting allows SCADA systems to collect data from 
specific devices, analyze it, and provide actionable insights to 
operators and managers. By targeting specific devices, SCADA 
systems can monitor and control industrial processes in real-time 
and provide alerts and notifications when anomalies or issues are 
detected. 


Benefits of Device-Based Targeting 


Device-based targeting in SCADA systems provides several benefits 
for industrial processes, including: 


1. Real-time monitoring and control: Device-based targeting allows 
SCADA systems to monitor and control industrial processes in real- 
time, which can improve operational efficiency and reduce 
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downtime. By collecting data from sensors and other devices, SCADA 
systems can quickly detect and respond to anomalies or issues, 
preventing equipment failure and reducing downtime. 


2. Remote access and control: Device-based targeting allows 
operators to remotely access and control equipment from a central 
location, eliminating the need for on-site visits and reducing the risk 
of accidents. This can improve operational efficiency and reduce 
costs associated with maintenance and repairs. 


3. Improved data analysis: Device-based targeting allows SCADA 
systems to collect data from specific devices, which can improve 
data analysis and provide more accurate insights. By analyzing data 
from specific devices, SCADA systems can identify trends and 
patterns, enabling operators to make informed decisions about 
process optimization and maintenance. 


4. Enhanced security: Device-based targeting allows SCADA systems 
to implement security measures at the device level, improving 
overall system security. By implementing security measures at the 
device level, SCADA systems can prevent unauthorized access and 
protect against cyber threats. 


Device-based targeting is an essential component of SCADA systems, 
enabling operators to monitor and control industrial processes in 
real-time and providing actionable insights to improve operational 
efficiency and reduce downtime. By targeting specific devices, 
SCADA systems can collect data, analyze it, and provide alerts and 
notifications when anomalies or issues are detected. Device-based 
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targeting also allows for remote access and control, improved data 
analysis, and enhanced security, providing several benefits for 
industrial processes. 


3.Network-based Targets 

Network-based targeting refers to the specific networks or 
communication protocols that are targeted for monitoring and 
control in an industrial process. In SCADA systems, networks such as 
Ethernet, Modbus, and DNP3 are targeted for communication and 
data exchange. Network-based targeting allows SCADA systems to 
collect data from multiple devices and systems, analyze it, and 
provide actionable insights to operators and managers. By targeting 
specific networks, SCADA systems can monitor and control industrial 
processes in real-time and provide alerts and notifications when 
anomalies or issues are detected. 


Benefits of Network-Based Targeting 


Network-based targeting in SCADA systems provides several benefits 
for industrial processes, including: 


1. Increased visibility: Network-based targeting allows SCADA 
systems to collect data from multiple devices and systems, 
providing increased visibility into industrial processes. By 
monitoring multiple networks, SCADA systems can detect and 
respond to issues quickly, improving operational efficiency 
and reducing downtime. 

Network-based targeting in security refers to the process of 
identifying and monitoring potential threats to a network by 
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analyzing network traffic patterns and behavior. This approach 
allows security analysts to detect and respond to attacks more 
quickly and effectively, reducing the risk of data breaches and other 
security incidents. 

One of the key advantages of network-based targeting is that it 
enables security teams to monitor multiple devices and systems 
simultaneously, providing a more comprehensive view of the 
network and potential threats. By analyzing traffic patterns and 
behavior, security analysts can identify unusual activity that may 
indicate a security breach or other threat. 

Another benefit of network-based targeting is that it allows security 
teams to prioritize their response efforts based on the severity of the 
threat. By focusing on the most critical threats first, security teams 
can reduce the risk of data loss or other damage. 


To implement network-based targeting, organizations typically use a 
combination of tools and technologies, including intrusion detection 
and prevention systems, security information and event 
management (SIEM) systems, and network traffic analysis tools. 
These tools enable security analysts to monitor network traffic in 
real-time, detect potential threats, and respond quickly to prevent or 
mitigate damage. 
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SECTION 5 
ICS Pwning ICS Operations 


ICS Pwning ICS Operations refers to the practice of hacking and 
compromising Industrial Control Systems (ICS) used in critical 
infrastructure operations. ICS are computer-based systems that 
control and monitor physical processes in industries such as energy, 
water, transportation, and manufacturing. These systems are often 
connected to the internet or other networks, making them 
vulnerable to cyber-attacks. 


ICS Pwning involves exploiting vulnerabilities in ICS systems to gain 
unauthorized access, disrupt operations, and cause physical damage. 
Cyber-attacks on ICS systems can have serious consequences, 
including power outages, water contamination, transportation 
disruptions, and even loss of life. 


Some of the common tactics used in ICS Pwning include spear- 
phishing attacks, malware injection, and exploiting vulnerabilities in 
software and hardware. Attackers may also use social engineering 
techniques to trick employees into revealing sensitive information or 
granting access to systems. 


To prevent ICS Pwning, organizations must implement robust 
security measures, including network segmentation, access controls, 
and intrusion detection and prevention systems. Regular 
vulnerability assessments and penetration testing can also help 
identify and address weaknesses in ICS systems. 
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To mitigate the threats to ICS systems, organizations can take the 
following measures: 


1. Segregate Networks: ICS systems should be isolated from 
corporate networks and the Internet to reduce the attack surface. 


2. Update Software: ICS systems should be updated regularly to 
address known vulnerabilities. 


3. Strong Authentication: ICS systems should use strong passwords 
and two-factor authentication to prevent unauthorized access. 


4. Patching: ICS systems should be patched regularly to address 
known exploits. 


5. Secure Communication: ICS systems should use secure 
communication protocols to prevent interception and manipulation. 


6. Monitoring: ICS systems should be monitored and logged to 
detect and respond to cyber threats. 


1.“Crash and Burn” vs “Conquer and Control” 


"Crash and Burn" refers to a situation where an attacker aims to 
disrupt or destroy the targeted system, causing it to become 
inoperable or malfunctioning. This approach can be done through 
various methods, such as denial-of-service attacks, malware 
infections, or physical destruction. 
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On the other hand, "Conquer and Control" refers to a situation 
where an attacker aims to gain unauthorized access to the targeted 
system and take control of it. This approach allows the attacker to 
manipulate the system, steal data, or use it for further attacks. 
While both approaches can cause significant damage to the targeted 
system and organization, "Conquer and Control" is often more 
dangerous as it allows the attacker to maintain a persistent presence 
and continue to carry out malicious activities undetected. 


A "Crash and Burn" attack on a SCADA system aims to disrupt or 
disable the system, causing it to fail or shut down. This can be 
achieved by sending malicious commands or data to the system, 
overloading it with traffic, or exploiting vulnerabilities in the 
software or hardware. The consequences of a successful "Crash and 
Burn" attack can be severe, such as loss of production, equipment 
damage, or even safety hazards. 


On the other hand, a "Conquer and Control" attack on a SCADA 
system aims to gain unauthorized access and take control of the 
system. This can be achieved by exploiting vulnerabilities in the 
network, software, or hardware, or by using social engineering 
tactics to trick authorized users into revealing their credentials. The 
objective of a "Conquer and Control" attack can vary, from stealing 
sensitive data to manipulating the system's operations or causing 
physical damage. 
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Detection avoidance refers to the techniques and methods used by 
attackers to evade detection by security mechanisms such as 
intrusion detection systems (IDS) or anti-virus software. The goal of 
detection avoidance is to allow attackers to remain undetected for 
as long as possible, increasing their chances of successfully carrying 
out an attack. 


Some common techniques used in detection avoidance include: 


1. Encryption: Attackers can encrypt their malicious code or network 
traffic to make it more difficult for security tools to detect. 


2. Polymorphism: Malware can be designed to change its code or 
behavior to evade signature-based detection methods. 


3. Rootkit installation: Attackers can install rootkits to hide their 
presence on a system and make it more difficult to detect their 
activities. 


4. Traffic shaping: Attackers can modify the volume, timing, and 
frequency of their network traffic to avoid detection by traffic 
analysis tools. 


5. Anti-forensic techniques: Attackers can use anti-forensic 
techniques to erase their tracks, making it more difficult for 
investigators to trace their activities. 


To combat detection avoidance, security professionals use a variety 
of techniques such as behavior-based detection, anomaly detection, 
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and heuristics-based detection. These methods focus on identifying 
suspicious behaviors or activities that may indicate an attack, rather 
than relying solely on signature-based detection methods. 
Additionally, regular security updates, patching, and employee 
training can also help prevent attacks by ensuring that security 
systems are up-to-date and that employees are aware of security 
risks and best practices. 


To understand the concept of detection avoidance, you can refer to 
the following resources: 


1. "Detection Avoidance Techniques in Modern Malware" by 
Symantec: This whitepaper provides an in-depth analysis of the 
detection avoidance techniques used in modern malware and how 
they can be detected. 


2. "Detecting Evasive Malware" by SANS Institute: This paper 
discusses the challenges of detecting evasive malware and provides 
best practices for detecting and preventing it. 


3. "Evasion Techniques and Detection in Advanced Persistent 
Threats" by FireEye: This report provides an overview of evasion 
techniques used by advanced persistent threats (APTs) and how to 
detect them. 


4. "Detecting Advanced Persistent Threats" by MITRE: This paper 
provides an overview of APTs and how to detect them using various 
techniques. 
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5. "Detecting Malware with Behavior-Based Analysis" by Palo Alto 
Networks: This whitepaper discusses the importance of behavior- 
based analysis in detecting malware and how to implement it 
effectively. 


3.“Redundancy or Not” 

Redundancy is a concept in security where multiple systems or 
components are used to provide backup or failover in case one 
system or component fails. This is important in security systems as a 
single point of failure can leave the system vulnerable to attacks or 
compromise. Redundancy can be implemented in various ways, 
including hardware redundancy (using multiple physical devices), 
software redundancy (using multiple instances of software), or 
network redundancy (using multiple network paths). 


When deciding whether to implement redundancy in a security 
system, it is important to consider factors such as the criticality of 
the system, the potential impact of a failure, and the cost and 
complexity of implementing redundancy. In some cases, redundancy 
may be essential to ensure the security and availability of the 
system, while in other cases it may not be necessary or cost- 
effective. 
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4.System Architecture (Gray Box) — Multi-Zone No Redundancy 


In a system architecture with a gray box design, the internal 
workings of the system are not fully visible to the user or 
administrator. This means that some components of the system may 
be opaque, while others are transparent and can be modified or 
customized. 


In a multi-zone system architecture with no redundancy, the system 
is divided into multiple zones, each with its own set of components 
and security measures. However, there is no redundancy or backup 
system in place, which means that if one zone fails, the entire system 
may be compromised. 


This type of system architecture is generally not recommended for 
critical systems or those that require high availability and reliability. 
Without redundancy, the system is vulnerable to single points of 
failure, which can result in downtime or security breaches. 

in some cases, a multi-zone system with no redundancy may be 
appropriate for non-critical systems where downtime or security 
breaches are not a major concern. In such cases, it is important to 
ensure that each zone is properly secured and that regular backups 
are taken to minimize the impact of any failures. 


In a (Gray Box) Multi-Zone No Redundancy system architecture, the 
system is divided into multiple zones, with each zone having its own 
set of components and security measures. However, there is no 
redundancy or backup system in place, which means that if one zone 
fails, the entire system may be compromised. 
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The gray box design means that some components of the system are 
hidden from the user or administrator, while others are transparent 
and can be modified or customized. This type of system architecture 
is generally not recommended for critical systems or those that 
require high availability and reliability. 


Without redundancy, the system is vulnerable to single points of 
failure, which can result in downtime or security breaches. However, 
in some cases, a multi-zone system with no redundancy may be 
appropriate for non-critical systems where downtime or security 
breaches are not a major concern. 

It is important to ensure that each zone is properly secured, and that 
regular backups are taken to minimize the impact of any failures. 
Additionally, proper monitoring and alerting systems should be in 
place to quickly identify and address any issues that arise. 
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Conclusion 


the book highlights the importance of SCADA security systems in 
safeguarding critical infrastructure from cyber threats. The authors 
provide a detailed understanding of the architecture, components, 
and security vulnerabilities of SCADA systems, and recommend best 
practices for securing them. The book emphasizes the need for risk 
management, threat intelligence, and incident response planning to 
minimize the impact of cyber-attacks. It also stresses the importance 
of collaboration between IT and OT teams to ensure effective 
security measures. 

SCADA systems play a critical role in controlling and monitoring 
complex industrial processes. They provide valuable insights into the 
performance of industrial processes, enabling operators to make 
informed decisions and improve efficiency. However, the increasing 
threat of cyber-attacks poses a significant risk to the security and 
reliability of SCADA systems. The book provides a comprehensive 
overview of SCADA systems, including their architecture, 
components, and vulnerabilities. It emphasizes the importance of 
implementing robust security measures to protect SCADA systems 
from cyber threats. The book recommends best practices for 
securing SCADA systems, including risk management, continuous 
monitoring, and incident response planning. Overall, the book is an 
essential resource for professionals in the industrial control systems 
field, providing valuable insights and practical guidance to enhance 
the security and reliability of SCADA systems. 
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